From 8c9620faca93fd25e9c0971f78f40e396059ffd3 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 16 Sep 2025 13:14:06 -0400 Subject: [PATCH 1/2] cmd-build-with-buildah: add `--strict` All the logic for this actually lives directly in `build-rootfs`, so just pass it through to that. --- src/cmd-build-with-buildah | 13 +++++++++++-- 1 file changed, 11 insertions(+), 2 deletions(-) diff --git a/src/cmd-build-with-buildah b/src/cmd-build-with-buildah index 3b01510fb6..90684fffa2 100755 --- a/src/cmd-build-with-buildah +++ b/src/cmd-build-with-buildah @@ -20,7 +20,8 @@ Usage: coreos-assembler build-with-buildah --autolock=VERSION If no base lockfile used, create one from any arch build of `VERSION`. Note this is automatically enabled when adding to an existing multi-arch non-strict build. - --skip-prune Skip prunning previous builds + --skip-prune Skip prunning previous builds. + --strict Only allow installing locked packages when using lockfiles. --parent-build=VERSION This option does nothing and is provided for backwards compatibility. --force This option does nothing and is provided for backwards compatibility. EOF @@ -31,8 +32,9 @@ VERSIONARY= DIRECT= AUTOLOCK_VERSION= SKIP_PRUNE= +STRICT= rc=0 -options=$(getopt --options h,d --longoptions help,version:,versionary,direct,autolock:,skip-prune,parent-build:,force -- "$@") || rc=$? +options=$(getopt --options h,d --longoptions help,version:,versionary,direct,autolock:,skip-prune,parent-build:,force,strict -- "$@") || rc=$? [ $rc -eq 0 ] || { print_help exit 1 @@ -61,6 +63,9 @@ while true; do --skip-prune) SKIP_PRUNE=1 ;; + --strict) + STRICT=1 + ;; --parent-build) shift ;; @@ -161,6 +166,10 @@ build_with_buildah() { -v /etc/pki/ca-trust:/etc/pki/ca-trust:ro fi + if [ -n "${STRICT}" ]; then + set -- "$@" --build-arg STRICT_MODE=1 + fi + if [ -d overrides ]; then if [ -d overrides/rpm ]; then # Clean up any previous repo metadata From 3a46b66533dfff6eb06b51808edbc44b75e27fb0 Mon Sep 17 00:00:00 2001 From: Jonathan Lebon Date: Tue, 16 Sep 2025 14:49:54 -0400 Subject: [PATCH 2/2] cmd-build-with-buildah: fix typo in `--skip-prune` help text Noticed by Gemini. --- src/cmd-build-with-buildah | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/src/cmd-build-with-buildah b/src/cmd-build-with-buildah index 90684fffa2..929d8912c3 100755 --- a/src/cmd-build-with-buildah +++ b/src/cmd-build-with-buildah @@ -20,7 +20,7 @@ Usage: coreos-assembler build-with-buildah --autolock=VERSION If no base lockfile used, create one from any arch build of `VERSION`. Note this is automatically enabled when adding to an existing multi-arch non-strict build. - --skip-prune Skip prunning previous builds. + --skip-prune Skip pruning previous builds. --strict Only allow installing locked packages when using lockfiles. --parent-build=VERSION This option does nothing and is provided for backwards compatibility. --force This option does nothing and is provided for backwards compatibility.