[next] tree: promote changes from next-devel at 547cccebb2d1a243a6dc5b603a079ae3ba562fd2

.cci.jenkinsfile

@@ -19,18 +19,16 @@ cosaPod(cpus: 4, memory: "9Gi") {
         cosa init ${env.WORKSPACE}/config
         python3 /usr/lib/coreos-assembler/download-overrides.py
         # prep from the latest builds so that we generate a diff on PRs that add packages
-        cosa buildfetch --stream=${env.CHANGE_TARGET}
+        cosa buildfetch --stream=${env.CHANGE_TARGET} --artifact=ostree
     """)
 
     // use a --parent-build arg so we can diff later and it matches prod
     def parent_arg = ""
-    def parent_commit = ""
     if (shwrapRc("test -e /srv/coreos/builds/latest/${basearch}/meta.json") == 0) {
         shwrap("cp /srv/coreos/builds/latest/${basearch}/meta.json .") // readJSON wants it in the WORKSPACE
         def meta = readJSON file: "meta.json"
         def version = meta["buildid"]
         parent_arg = "--parent-build ${version}"
-        parent_commit = meta["ostree-commit"]
     }
 
     // do a build. If we are operating on a mechanical stream then we
@@ -55,8 +53,7 @@ cosaPod(cpus: 4, memory: "9Gi") {
         stage("RPM Diff") {
             shwrap("""
                 cd /srv/coreos
-                new_commit=\$(jq -r '.["ostree-commit"]' builds/latest/${basearch}/meta.json)
-                rpm-ostree db diff --repo tmp/repo ${parent_commit} \${new_commit} | tee tmp/diff.txt
+                cosa diff --rpms | tee tmp/diff.txt
                 if grep -q Downgraded tmp/diff.txt; then
                     echo "Downgrade detected. This is likely unintentional. If not, you may safely ignore this error."
                     exit 1

.containerignore

@@ -15,4 +15,5 @@
 !/manifests/
 !/manifest.yaml
 !/overlay.d/
+!/overrides/
 !/platforms.yaml

.github/workflows/container-native.yml

@@ -29,32 +29,22 @@ jobs:
           podman run --rm -v $PWD:/run/src -w /run/src quay.io/fedora/fedora:latest sh -c '
             set -xeuo pipefail
             dnf -y install koji createrepo_c python3-dnf python3-PyYAML && dnf clean all
-            workdir="/run/src"
-            overridesdir="rpmoverrides"
+            overridesdir="overrides/rpm"
 
             # prepare directory to download override packages
-            [ -d ${overridesdir} ] && rm -rf ${overridesdir}
             mkdir -p "${overridesdir}"
 
             curl -LO https://raw.githubusercontent.com/coreos/coreos-assembler/refs/heads/main/src/download-overrides.py
             python3 download-overrides.py --downloaddir "./${overridesdir}" --lockfiledir "./"
 
             # create local yum repo
             if [[ -n $(ls "${overridesdir}/"*.rpm 2> /dev/null) ]]; then
-              cd "${overridesdir}" && createrepo_c .
-              cat > "${workdir}"/local-overrides.repo <<EOF
-          [local-overrides]
-          name=local-overrides
-          baseurl=file://${workdir}/${overridesdir}/
-          enabled=1
-          gpgcheck=0
-          cost=500
-          EOF
+              (cd "${overridesdir}" && createrepo_c .)
             else
               # remove empty dir rpmoverrides
-              rmdir "${workdir}/${overridesdir}/"
+              rm -rf "${overridesdir}/"
             fi
-            rm "${workdir}"/download-overrides.py
+            rm download-overrides.py
           '
       - name: Build
         # Note: we should be able to drop the `-v $PWD:/run/src` once

.tekton/fcos-buildroot/fcos-buildroot-pull-request.yaml

@@ -15,7 +15,7 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
     pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch
-      == "testing-devel" && (".tekton/fcos-buildroot-pull-request.yaml".pathChanged() || "ci/buildroot/**".pathChanged())
+      == "testing-devel" && (".tekton/fcos-buildroot/fcos-buildroot-pull-request.yaml".pathChanged() || "ci/buildroot/**".pathChanged())
   creationTimestamp: null
 spec:
   params:

.tekton/fcos-buildroot/fcos-buildroot-push.yaml

@@ -14,7 +14,7 @@ metadata:
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
     pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch
-      == "testing-devel" && (".tekton/fcos-buildroot-push.yaml".pathChanged() ||  "ci/buildroot/**".pathChanged())
+      == "testing-devel" && (".tekton/fcos-buildroot/fcos-buildroot-push.yaml".pathChanged() ||  "ci/buildroot/**".pathChanged())
   creationTimestamp: null
 spec:
   params:

.tekton/testing-devel/on-pull-request/fedora-coreos-testing-devel-on-pull-request.yaml

@@ -14,7 +14,7 @@ metadata:
     build.appstudio.redhat.com/pull_request_number: '{{pull_request_number}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/")))
+    pipelinesascode.tekton.dev/on-cel-expression: event == "pull_request" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/"))) && !(".tekton/fcos-buildroot".pathChanged())
   creationTimestamp: null
 spec:
   params:

.tekton/testing-devel/on-pull-request/kustomization.yaml

@@ -26,5 +26,5 @@ patches:
         value: 'fedora-coreos-testing-devel-on-pull-request'
       - op: replace
         path: /metadata/annotations/pipelinesascode.tekton.dev~1on-cel-expression
-        value: 'event == "pull_request" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/")))'
+        value: 'event == "pull_request" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/"))) && !(".tekton/fcos-buildroot".pathChanged())'
 

.tekton/testing-devel/on-push/fedora-coreos-testing-devel-on-push.yaml

@@ -13,7 +13,7 @@ metadata:
     build.appstudio.redhat.com/commit_sha: '{{revision}}'
     build.appstudio.redhat.com/target_branch: '{{target_branch}}'
     pipelinesascode.tekton.dev/max-keep-runs: "3"
-    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/")))
+    pipelinesascode.tekton.dev/on-cel-expression: event == "push" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/"))) && !(".tekton/fcos-buildroot".pathChanged())
   creationTimestamp: null
 spec:
   params:

.tekton/testing-devel/on-push/kustomization.yaml

@@ -26,5 +26,5 @@ patches:
         value: 'fedora-coreos-testing-devel-on-push'
       - op: replace
         path: /metadata/annotations/pipelinesascode.tekton.dev~1on-cel-expression
-        value: 'event == "push" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/")))'
+        value: 'event == "push" && target_branch == "testing-devel" && !(files.all.all(f, f.matches("ci/buildroot/"))) && !(".tekton/fcos-buildroot".pathChanged())'
 

Containerfile

@@ -22,6 +22,7 @@ ARG VERSION=overridden
 ARG MANIFEST=overridden
 # XXX: see inject_passwd_group() in build-rootfs
 ARG PASSWD_GROUP_DIR
+ARG STRICT_MODE=0
 
 COPY . /src
 # canonicalize permission bits, see also https://gitlab.com/fedora/bootc/base-images/-/merge_requests/274

build-rootfs

@@ -62,6 +62,9 @@ def main():
 
     if version != "":
         inject_version_info(target_rootfs, manifest['mutate-os-release'], version)
+    strict_mode = os.getenv('STRICT_MODE')
+    if strict_mode == '1':
+        verify_strict_mode(target_rootfs, locked_nevras)
     run_postprocess_scripts(target_rootfs, manifest)
 
 
@@ -235,12 +238,13 @@ priority=1
 
 # Could upstream this as e.g. `bootc-base-imagectl runroot /rootfs <cmd>` maybe?
 # But we'd need to carry it anyway at least for RHCOS 9.6.
-def bwrap(rootfs, args):
-    subprocess.check_call(['bwrap', '--bind', f'{rootfs}', '/',
-                           '--dev', '/dev', '--proc', '/proc',
-                           '--tmpfs', '/tmp', '--tmpfs', '/var', '--tmpfs', '/run',
-                           '--bind', '/run/.containerenv', '/run/.containerenv',
-                           '--'] + args)
+def bwrap(rootfs, args, capture=False):
+    args = ['bwrap', '--bind', f'{rootfs}', '/', '--dev', '/dev', '--proc',
+            '/proc', '--tmpfs', '/tmp', '--tmpfs', '/var', '--tmpfs', '/run',
+            '--bind', '/run/.containerenv', '/run/.containerenv', '--'] + args
+    if capture:
+        return subprocess.check_output(args, encoding='utf-8')
+    subprocess.check_call(args)
 
 
 def get_locked_nevras(local_overrides):
@@ -367,6 +371,15 @@ def inject_content_manifest(target_rootfs, manifest):
         })
 
 
+def verify_strict_mode(rootfs, locked_nevras):
+    rpms = bwrap(rootfs, ['rpm', '-qa', '--qf', '%{NEVRA}\t%{NEVR}\n'], capture=True)
+    for rpm in rpms.splitlines():
+        nevra, nevr = rpm.split()
+        if nevra not in locked_nevras and nevr not in locked_nevras:
+            raise Exception(f"found unlocked RPM in strict mode: {rpm}")
+    print("Strict mode: all installed packages were locked")
+
+
 # Imported from cosa
 # Merge two lists, avoiding duplicates. Exact duplicate kargs could be valid
 # but we have no use case for them right now in our official images.

kola-denylist.yaml

@@ -12,13 +12,24 @@
     - ppc64le
 - pattern: fcos.ignition.v3.noop
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/2021
-  # snooze: 2025-09-15 (disabled on promotion)
+  # snooze: 2025-09-29 (disabled on promotion)
   # warn: true (disabled on promotion)
   platforms:
     - azure
 - pattern: fcos.ignition.misc.empty
   tracker: https://github.com/coreos/fedora-coreos-tracker/issues/2021
-  # snooze: 2025-09-15 (disabled on promotion)
+  # snooze: 2025-09-29 (disabled on promotion)
   # warn: true (disabled on promotion)
   platforms:
     - azure
+- pattern: coreos.unique.boot.failure
+  tracker: https://github.com/coreos/fedora-coreos-tracker/issues/2019
+  snooze: 2025-09-29
+  warn: true
+  arches:
+    - aarch64
+  streams:
+    - next
+    - next-devel
+    - branched
+    - rawhide