hermetic: adapt build-rootfs and buildroot-prep

jbtrystram · jbtrystram · commit 8544f889b292 · 2025-10-07T14:26:05.000+02:00
In hermetic builds there is no access to the network. Detect this by
looking for the `cachi2.repo` that is injected by konflux during the
build.

In this case we make sure to not use any of our own repo and rely on
the repo created by hermeto.
diff --git a/build-rootfs b/build-rootfs
@@ -21,6 +21,7 @@ import yaml
 ARCH = os.uname().machine
 SRCDIR = '/src'
 INPUTHASH = '/run/inputhash'
+HERMETIC = os.path.exists("/etc/yum.repos.d/cachi2.repo")
 
 
 def main():
@@ -48,8 +49,9 @@ def main():
         # NEVRAs to appear there. For lack of a generic solution for any repo
         # there, we only special-case the one place where we know we use this.
         if lockfile_repos == ['fedora-coreos-pool']:
-            modify_pool_repo(locked_nevras)
-            repos += lockfile_repos
+            if not HERMETIC:
+                modify_pool_repo(locked_nevras)
+                repos += lockfile_repos
         elif len(lockfile_repos) > 0:
             raise Exception(f"unknown lockfile-repo found in {lockfile_repos}")
 
@@ -104,12 +106,16 @@ def inject_yumrepos():
         if os.path.basename(repo) == 'secret.repo':
             # this is a supported podman secret to inject repo files; see Containerfile
             continue
+        # cachi2 is an injected repo by konflux for hermetic build.
+        # We want to keep it active.
+        if os.path.basename(repo) == 'cachi2.repo':
+            continue
         os.unlink(repo)
 
     # and now inject our repos
-    for repo in glob.glob(f'{SRCDIR}/*.repo'):
-        shutil.copy(repo, "/etc/yum.repos.d")
-
+    if not HERMETIC:
+        for repo in glob.glob(f'{SRCDIR}/*.repo'):
+            shutil.copy(repo, "/etc/yum.repos.d")
 
 def build_rootfs(target_rootfs, manifest_path, packages, locked_nevras, overlays, repos, nodocs):
     passwd_group_dir = os.getenv('PASSWD_GROUP_DIR')
diff --git a/buildroot-prep b/buildroot-prep
@@ -8,8 +8,10 @@ set -euo pipefail
 arch=$(uname -m)
 . /etc/os-release
 
-cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
-
+# in hermetic mode we can't reach out to internet
+if [ ! -f "/etc/yum.repos.d/cachi2.repo" ]; then
+    cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
+fi
 # NOTE: try to remove anything that queries repos here once it's no longer
 # needed so that we don't unnecessarily pay for repo metadata.
 
