Skip to content

konflux: enable hermetic builds #3723

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
joelcapitao merged 2 commits into from
Jan 20, 2026
Merged

konflux: enable hermetic builds #3723

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
8b4c5a2
konflux: enable hermetic builds
jbtrystram Sep 4, 2025
09d754c
hermetic: adapt build-rootfs and buildroot-prep
jbtrystram Sep 5, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
4 changes: 4 additions & 0 deletions .tekton/base/base/fedora-coreos.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/base/on-push/fedora-coreos-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -40,6 +40,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/branched/on-push/fedora-coreos-branched-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/next/on-push/fedora-coreos-next-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/stable/on-push/fedora-coreos-stable-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
4 changes: 4 additions & 0 deletions .tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -42,6 +42,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
- name: image-expires-after
value: 5d
pipelineRef:
Expand Down
4 changes: 4 additions & 0 deletions .tekton/testing/on-push/fedora-coreos-testing-on-push.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -41,6 +41,10 @@ spec:
- linux/ppc64le
- name: clone-depth
value: 50
- name: hermetic
value: true
- name: prefetch-input
value: '[{"type": "rpm", "path": "."}]'
pipelineRef:
params:
- name: bundle
Expand Down
16 changes: 11 additions & 5 deletions build-rootfs
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -21,6 +21,8 @@ import yaml
ARCH = os.uname().machine
SRCDIR = '/src'
INPUTHASH = '/run/inputhash'
HERMETIC_REPO = '/etc/yum.repos.d/cachi2.repo'
IS_HERMETIC = os.path.exists(HERMETIC_REPO)


def main():
Expand Down Expand Up @@ -51,8 +53,9 @@ def main():
# NEVRAs to appear there. For lack of a generic solution for any repo
# there, we only special-case the one place where we know we use this.
if lockfile_repos == ['fedora-coreos-pool']:
modify_pool_repo(locked_nevras)
repos += lockfile_repos
if not IS_HERMETIC:
modify_pool_repo(locked_nevras)
repos += lockfile_repos
elif len(lockfile_repos) > 0:
raise Exception(f"unknown lockfile-repo found in {lockfile_repos}")

Expand Down Expand Up @@ -110,12 +113,15 @@ def inject_yumrepos():
if os.path.basename(repo) == 'secret.repo':
# this is a supported podman secret to inject repo files; see Containerfile
continue
if repo == HERMETIC_REPO:
# this is the repo Konflux injects when hermetic build is enabled
continue
os.unlink(repo)

# and now inject our repos
for repo in glob.glob(f'{SRCDIR}/*.repo'):
shutil.copy(repo, "/etc/yum.repos.d")

if not IS_HERMETIC:
for repo in glob.glob(f'{SRCDIR}/*.repo'):
shutil.copy(repo, "/etc/yum.repos.d")

def build_rootfs(
target_rootfs, manifest_path, packages, locked_nevras,
Expand Down
7 changes: 5 additions & 2 deletions buildroot-prep
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -8,8 +8,11 @@ set -euo pipefail
arch=$(uname -m)
. /etc/os-release

cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d

# cachi2 is the repo Konflux injects when hermetic build is enabled and
# is self-sufficient to pull all the required RPMs.
if [ ! -f "/etc/yum.repos.d/cachi2.repo" ]; then
cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
fi
Comment on lines +11 to +15
Copy link
Member

@dustymabe dustymabe Jan 20, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

not copying the fedora-coreos-continuous repo here means the step below with --repo fedora-coreos-continuous will fail.

I wonder if the buildroot-prep stuff is just never going to work with hermetic?

OR - better, let's just fold calling buildroot-prep into build-rootfs as a another function that gets called (which shells out to the script). This means it can run after we call inject_yumrepos() and can use the hermeto repo to pull the RPM from if we want.

Copy link
Member

@joelcapitao joelcapitao Jan 20, 2026
edited
Loading

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Good point, let's give a try.
But note that the line -repo fedora-coreos-continuous is not run at all since a while now. Actually, the whole script is noop at the moment. But we still need to support what you proposed for future need.

Copy link
Member

@joelcapitao joelcapitao Jan 21, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

#3973

# NOTE: try to remove anything that queries repos here once it's no longer
# needed so that we don't unnecessarily pay for repo metadata.

Expand Down