konflux: enable hermetic builds

.tekton/base/base/fedora-coreos.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/base/on-pull-request/fedora-coreos-on-pull-request.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/base/on-push/fedora-coreos-on-push.yaml

@@ -38,6 +38,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/branched/on-pull-request/fedora-coreos-branched-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/branched/on-push/fedora-coreos-branched-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/next-devel/on-pull-request/fedora-coreos-next-devel-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/next-devel/on-push/fedora-coreos-next-devel-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/next/on-pull-request/fedora-coreos-next-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/next/on-push/fedora-coreos-next-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/rawhide/on-pull-request/fedora-coreos-rawhide-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/rawhide/on-push/fedora-coreos-rawhide-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/stable/on-pull-request/fedora-coreos-stable-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/stable/on-push/fedora-coreos-stable-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

.tekton/testing/on-pull-request/fedora-coreos-testing-on-pull-request.yaml

@@ -40,6 +40,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   - name: image-expires-after
     value: 5d
   pipelineRef:

.tekton/testing/on-push/fedora-coreos-testing-on-push.yaml

@@ -39,6 +39,10 @@ spec:
     - linux/arm64
     - linux/s390x
     - linux/ppc64le
+  - name: hermetic
+    value: true
+  - name: prefetch-input
+    value: '[{"type": "rpm", "path": ".", "options": {"dnf": {"fedora-coreos-pool": {"gpgcheck": "0"}}}}]'
   pipelineRef:
     params:
     - name: bundle

build-rootfs

@@ -21,6 +21,7 @@ import yaml
 ARCH = os.uname().machine
 SRCDIR = '/src'
 INPUTHASH = '/run/inputhash'
+HERMETIC = os.path.exists("/etc/yum.repos.d/cachi2.repo")
 
 
 def main():
@@ -48,8 +49,9 @@ def main():
         # NEVRAs to appear there. For lack of a generic solution for any repo
         # there, we only special-case the one place where we know we use this.
         if lockfile_repos == ['fedora-coreos-pool']:
-            modify_pool_repo(locked_nevras)
-            repos += lockfile_repos
+            if not HERMETIC:
+                modify_pool_repo(locked_nevras)
+                repos += lockfile_repos
         elif len(lockfile_repos) > 0:
             raise Exception(f"unknown lockfile-repo found in {lockfile_repos}")
 
@@ -104,12 +106,16 @@ def inject_yumrepos():
         if os.path.basename(repo) == 'secret.repo':
             # this is a supported podman secret to inject repo files; see Containerfile
             continue
+        # cachi2 is an injected repo by konflux for hermetic build.
+        # We want to keep it active.
+        if os.path.basename(repo) == 'cachi2.repo':
+            continue
         os.unlink(repo)
 
     # and now inject our repos
-    for repo in glob.glob(f'{SRCDIR}/*.repo'):
-        shutil.copy(repo, "/etc/yum.repos.d")
-
+    if not HERMETIC:
+        for repo in glob.glob(f'{SRCDIR}/*.repo'):
+            shutil.copy(repo, "/etc/yum.repos.d")
 
 def build_rootfs(target_rootfs, manifest_path, packages, locked_nevras, overlays, repos, nodocs):
     passwd_group_dir = os.getenv('PASSWD_GROUP_DIR')

buildroot-prep

@@ -8,12 +8,14 @@ set -euo pipefail
 arch=$(uname -m)
 . /etc/os-release
 
-cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
-
+# in hermetic mode we can't reach out to internet
+if [ ! -f "/etc/yum.repos.d/cachi2.repo" ]; then
+    cp /src/fedora-coreos-continuous.repo /etc/yum.repos.d
+fi
 # NOTE: try to remove anything that queries repos here once it's no longer
 # needed so that we don't unnecessarily pay for repo metadata.
 
 # make sure we have https://github.com/coreos/rpm-ostree/pull/5454
 if ! rpm-ostree compose build-chunked-oci -h | grep -q -- --label; then
-    sudo dnf update rpm-ostree -y --repo fedora-coreos-continuous --releasever "$VERSION_ID"
+    sudo dnf update rpm-ostree --nogpgcheck -y --repo fedora-coreos-continuous --releasever "$VERSION_ID"
 fi

konflux-lockfile-override.yaml

@@ -0,0 +1,33 @@
+# This file will be merged with 'rpms.lock.yaml' which provides the RPMs
+# to konflux hermetic build environnement.
+# e.g. to get rpm-ostree from the fedora-coreos-continuous repo:
+# for arch in 'x86_64' 'aarch64' 'ppc64le' 's390x';
+#    do dnf repoquery rpm-ostree-2025.11 --disablerepo='*' --enablerepo f42-coreos-continuous \
+#          --location --forcearch $arch --quiet \
+#    ;done
+arches:
+  - arch: aarch64
+    packages:
+      # rpm-ostree 2025.11 for buildroot-prep
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/aarch64/Packages/r/rpm-ostree-2025.11-1.fc42.aarch64.rpm
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/aarch64/Packages/r/rpm-ostree-libs-2025.11-1.fc42.aarch64.rpm
+  - arch: s390x
+    packages:
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/s390x/Packages/r/rpm-ostree-2025.11-1.fc42.s390x.rpm
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/s390x/Packages/r/rpm-ostree-libs-2025.11-1.fc42.s390x.rpm
+  - arch: ppc64le
+    packages:
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/ppc64le/Packages/r/rpm-ostree-2025.11-1.fc42.ppc64le.rpm
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/ppc64le/Packages/r/rpm-ostree-libs-2025.11-1.fc42.ppc64le.rpm
+  - arch: x86_64
+    packages:
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/x86_64/Packages/r/rpm-ostree-2025.11-1.fc42.x86_64.rpm
+      - repoid: fedora-coreos-continuous
+        url: https://kojipkgs.fedoraproject.org/repos-dist/f42-coreos-continuous/latest/x86_64/Packages/r/rpm-ostree-libs-2025.11-1.fc42.x86_64.rpm