diff --git a/.tekton/base/base/fedora-coreos.yaml b/.tekton/base/base/fedora-coreos.yaml index 8f0b4a8f4a..3255f6ed37 100644 --- a/.tekton/base/base/fedora-coreos.yaml +++ b/.tekton/base/base/fedora-coreos.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml b/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml index a97f752b4e..c40c1f980a 100644 --- a/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml +++ b/.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/base/on-push/fedora-coreos-on-push.yaml b/.tekton/base/on-push/fedora-coreos-on-push.yaml index 06d32e6181..a5c45be47a 100644 --- a/.tekton/base/on-push/fedora-coreos-on-push.yaml +++ b/.tekton/base/on-push/fedora-coreos-on-push.yaml @@ -40,6 +40,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml b/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml index 0923e98db7..e6386a98aa 100644 --- a/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml +++ b/.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml b/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml index ea6d5cc2ff..5fdcd6e48a 100644 --- a/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml +++ b/.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml b/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml index 7354d011cb..ae024fed81 100644 --- a/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml +++ b/.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml b/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml index ef6ac4c672..a23843b230 100644 --- a/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml +++ b/.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml b/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml index 66266f4a51..15a5d43c71 100644 --- a/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml +++ b/.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/next/on-push/fedora-coreos-next-on-push.yaml b/.tekton/next/on-push/fedora-coreos-next-on-push.yaml index 05ca0c58fb..95c94865f3 100644 --- a/.tekton/next/on-push/fedora-coreos-next-on-push.yaml +++ b/.tekton/next/on-push/fedora-coreos-next-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml b/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml index 9e261105db..2ec30980ef 100644 --- a/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml +++ b/.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml b/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml index e54d3ea3dd..da76d9da5d 100644 --- a/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml +++ b/.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml b/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml index 85989d802b..ce2c8f349f 100644 --- a/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml +++ b/.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml b/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml index f864a45da9..a1e4a91198 100644 --- a/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml +++ b/.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml b/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml index 29d0fcf86a..e37465767f 100644 --- a/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml +++ b/.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml b/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml index 719a382f05..1e77ede652 100644 --- a/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml +++ b/.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml b/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml index 3504c7ab27..4ae95dd51f 100644 --- a/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml +++ b/.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml @@ -42,6 +42,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' - name: image-expires-after value: 5d pipelineRef: diff --git a/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml b/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml index 016a70d51c..daeef92201 100644 --- a/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml +++ b/.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml @@ -41,6 +41,10 @@ spec: - linux/ppc64le - name: clone-depth value: 50 + - name: hermetic + value: true + - name: prefetch-input + value: '[{"type": "rpm", "path": "."}]' pipelineRef: params: - name: bundle diff --git a/build-rootfs b/build-rootfs index bde3b8dbf5..4d8b26e58c 100755 --- a/build-rootfs +++ b/build-rootfs @@ -21,6 +21,8 @@ import yaml ARCH = os.uname().machine SRCDIR = '/src' INPUTHASH = '/run/inputhash' +HERMETIC_REPO = '/etc/yum.repos.d/cachi2.repo' +IS_HERMETIC = os.path.exists(HERMETIC_REPO) def main(): @@ -51,8 +53,9 @@ def main(): # NEVRAs to appear there. For lack of a generic solution for any repo # there, we only special-case the one place where we know we use this. if lockfile_repos == ['fedora-coreos-pool']: - modify_pool_repo(locked_nevras) - repos += lockfile_repos + if not IS_HERMETIC: + modify_pool_repo(locked_nevras) + repos += lockfile_repos elif len(lockfile_repos) > 0: raise Exception(f"unknown lockfile-repo found in {lockfile_repos}") @@ -110,12 +113,15 @@ def inject_yumrepos(): if os.path.basename(repo) == 'secret.repo': # this is a supported podman secret to inject repo files; see Containerfile continue + if repo == HERMETIC_REPO: + # this is the repo Konflux injects when hermetic build is enabled + continue os.unlink(repo) # and now inject our repos - for repo in glob.glob(f'{SRCDIR}/*.repo'): - shutil.copy(repo, "/etc/yum.repos.d") - + if not IS_HERMETIC: + for repo in glob.glob(f'{SRCDIR}/*.repo'): + shutil.copy(repo, "/etc/yum.repos.d") def build_rootfs( target_rootfs, manifest_path, packages, locked_nevras, diff --git a/buildroot-prep b/buildroot-prep index 132684c07f..c61db75fcf 100755 --- a/buildroot-prep +++ b/buildroot-prep @@ -8,8 +8,11 @@ set -euo pipefail arch=$(uname -m) . /etc/os-release -cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d - +# cachi2 is the repo Konflux injects when hermetic build is enabled and +# is self-sufficient to pull all the required RPMs. +if [ ! -f "/etc/yum.repos.d/cachi2.repo" ]; then + cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d +fi # NOTE: try to remove anything that queries repos here once it's no longer # needed so that we don't unnecessarily pay for repo metadata.