hermetic: adapt build-rootfs and buildroot-prep

jbtrystram · joelcapitao · commit 7698e164fffe · 2025-12-01T16:57:55.000+01:00
In hermetic builds there is no access to the network. Detect this by
looking for the `cachi2.repo` that is injected by konflux during the
build.

In this case we make sure to not use any of our own repo and rely on
the repo created by hermeto.
diff --git a/build-rootfs b/build-rootfs
@@ -21,6 +21,8 @@ import yaml
 ARCH = os.uname().machine
 SRCDIR = '/src'
 INPUTHASH = '/run/inputhash'
+HERMETIC_REPO = '/etc/yum.repos.d/cachi2.repo'
+IS_HERMETIC = os.path.exists(HERMETIC_REPO)
 
 
 def main():
@@ -47,7 +49,7 @@ def main():
         # Lockfile repos require special handling because we only want locked
         # NEVRAs to appear there. For lack of a generic solution for any repo
         # there, we only special-case the one place where we know we use this.
-        if lockfile_repos == ['fedora-coreos-pool']:
+        if lockfile_repos == ['fedora-coreos-pool'] and not IS_HERMETIC:
             modify_pool_repo(locked_nevras)
             repos += lockfile_repos
         elif len(lockfile_repos) > 0:
@@ -107,12 +109,15 @@ def inject_yumrepos():
         if os.path.basename(repo) == 'secret.repo':
             # this is a supported podman secret to inject repo files; see Containerfile
             continue
+        if repo == HERMETIC_REPO:
+            # this is the repo Konflux injects when hermetic build is enabled
+            continue
         os.unlink(repo)
 
     # and now inject our repos
-    for repo in glob.glob(f'{SRCDIR}/*.repo'):
-        shutil.copy(repo, "/etc/yum.repos.d")
-
+    if not IS_HERMETIC:
+        for repo in glob.glob(f'{SRCDIR}/*.repo'):
+            shutil.copy(repo, "/etc/yum.repos.d")
 
 def build_rootfs(
     target_rootfs, manifest_path, packages, locked_nevras,
diff --git a/buildroot-prep b/buildroot-prep
@@ -8,8 +8,11 @@ set -euo pipefail
 arch=$(uname -m)
 . /etc/os-release
 
-cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
-
+# cachi2 is the repo Konflux injects when hermetic build is enabled and
+# is self-sufficient to pull all the required RPMs.
+if [ ! -f "/etc/yum.repos.d/cachi2.repo" ]; then
+    cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
+fi
 # NOTE: try to remove anything that queries repos here once it's no longer
 # needed so that we don't unnecessarily pay for repo metadata.
 
