ROX-32922: Add hermetic builds for Konflux

[mtodor]

Description

Enables hermetic builds for the acs-mcp-server Konflux pipeline. Hermetic builds run with --network=none, preventing any outbound network access during the build — a requirement for Red Hat supply chain security compliance and the official release pipeline.

Changes made:

• konflux.Dockerfile: Removed RUN go mod download (network call incompatible with hermetic mode; Cachi2 pre-populates the module cache before the build starts)
• rpms.in.yaml: New file declaring ca-certificates and openssl as RPM packages to prefetch via Cachi2, for all 4 build architectures
• rpms.rhel9.repo: New DNF repo file pointing at the Red Hat CDN (BaseOS + AppStream, including source RPMs) with mTLS auth via $SSL_CLIENT_CERT/$SSL_CLIENT_KEY
• rpms.lock.yaml: Generated lockfile with exact NVR + SHA256 checksums for all transitive RPM dependencies, produced by rpm-lockfile-prototype
• .tekton/acs-mcp-server-push.yaml and .tekton/acs-mcp-server-pull-request.yaml: Set hermetic: 'true' and added prefetch-input with both gomod and rpm types
• .tekton/basic-component-pipeline.yaml: Added ACTIVATION_KEY: subscription-manager-activation-key-prod to the prefetch-dependencies task params for RPM prefetch authentication
• .github/renovate.json5: Added rpm-lockfile to enabledManagers so MintMaker automatically refreshes rpms.lock.yaml when packages receive security updates

Validation

• Konflux PR build passes with hermetic mode enabled
• Konflux push build passes with hermetic mode enabled (all 4 platforms: amd64, arm64, ppc64le, s390x)
• rpms.lock.yaml resolves ca-certificates and openssl successfully (lockfile generated locally)

AI-assisted development prompts

This PR was developed with AI assistance. Below are the prompts used:

Prompt: "List all open tasks"
Response: Listed 5 open Beads tasks all related to enabling hermetic Konflux builds.

Prompt: "Outline plan for the first task that is not blocked."
Response: Identified stackrox-mcp-sw3 as the only unblocked task and outlined a plan covering Dockerfile changes, PipelineRun config updates, and RPM lockfile generation.

Prompt: "Explain plan for 2fm in details"
Response: Detailed the three files to create (rpms.in.yaml, rpms.rhel9.repo, rpms.lock.yaml), the rpm-lockfile-prototype tool usage, RH subscription credential requirement, and Renovate automation.

Prompt: "Update 2fm task description to include information that Containerfile has to be downloaded from the raw GitHub URL."
Response: Updated the Beads task description with the curl command to download the Containerfile to /tmp before running podman build.

Prompt: "Show open tasks tree required to Enable hermetic Konflux builds for acs-mcp-server"
Response: Displayed the full dependency tree showing sw3 as the root, with 653→471 and 2fm→ytl as two parallel chains, and determined the execution order.

Prompt: "Work on 653 and 2fm in parallel"
Response: Removed RUN go mod download from konflux.Dockerfile, created rpms.in.yaml and rpms.rhel9.repo, and added rpm-lockfile to renovate.json5.

Prompt: "Check https://raw.githubusercontent.com/stackrox/stackrox/refs/heads/master/rpms.rhel.repo and compare with rpms.rhel9.repo. Ensure we are including everything we need."
Response: Compared files and updated rpms.rhel9.repo to add sslcacert, sslverifystatus, metadata_expire, enabled_metadata, fixed baseurl to hardcode 9 instead of $releasever, and aligned section IDs with the standard RHSM naming convention.

Prompt: "Do we need Source RPMs?"
Response: Explained that source RPMs are not needed since the package_installer stage only installs binary packages; the source RPM sections were intentionally omitted.

Prompt: "You can continue working on the next step"
Response: Updated both PipelineRun configs with hermetic: true and prefetch-input (gomod + rpm), closing tasks 471 and ytl.

Prompt: "As I see, stackrox only adds ACTIVATION_KEY: subscription-manager-activation-key-prod to prefetch-dependencies params."
Response: Added ACTIVATION_KEY: subscription-manager-activation-key-prod directly as a hardcoded param on the prefetch-dependencies task in basic-component-pipeline.yaml, matching the stackrox pattern.

Prompt: "What else is open?"
Response: Confirmed only the parent epic sw3 remained open, with the one pending manual step being generation of rpms.lock.yaml.

Prompt: "Lock file is created and rpms.rhel9.repo is also adjusted to include source RPMs. Check if everything is finished and if yes close the relevant tasks."
Response: Confirmed all deliverables complete and closed all 5 Beads tasks including the parent epic sw3.

--- Fixing CI issue with Renovate validation ---

Prompt: "I have got this error: ERROR: Found errors in configuration ... "rpm-lockfile" ... not supported. Please check config in
https://github.com/stackrox/stackrox/blob/master/.github/renovate.json5 and find what is missing. Add it and check with make renovate validation step."
Response: Compared with the stackrox reference and found it uses a "rpm-lockfile": { "schedule": [...] } config section alongside the enabledManagers entry. Added that
section to renovate.json5 and updated the Makefile to filter the known rpm-lockfile validator error, but the output-filtering approach was rejected.

Prompt: "I don't like this solution. Can we somehow exclude rpm-lockfile from checks?"
Response: Investigated options and concluded the standard renovate/renovate validator has no built-in way to exclude specific managers, presenting the available
alternatives.

Prompt: "Check if we can extend schema or if there is already existing schema in https://github.com/konflux-ci/mintmaker"
Response: Discovered that MintMaker uses a custom action (konflux-ci/renovate-config-validator-action) which runs quay.io/konflux-ci/mintmaker-renovate-image:latest — a
Renovate image with native rpm-lockfile support. Switched the Makefile to use that image; validation now passes cleanly with no filtering needed.

Prompt: "Should we modify github actions in this repo to use konflux-ci/renovate-config-validator-action?"
Response: Explained that it's unnecessary since CI already calls make renovate-validate — adding the action directly would create two validation paths to maintain with no
real benefit.

Prompt: "Add short comment in Makefile why we are using quay.io/konflux-ci/mintmaker-renovate-image"
Response: Added a two-line comment above the docker run command explaining that the MintMaker image is required for rpm-lockfile support.

Prompt: "Add beads for changes we did and close it."
Response: Created and closed stackrox-mcp-wmy tracking the renovate validation fix.

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 73.88%. Comparing base (68f7605) to head (c939ea0).
✅ All tests successful. No failed tests found.

Additional details and impacted files

@@           Coverage Diff           @@
##             main      #95   +/-   ##
=======================================
  Coverage   73.88%   73.88%           
=======================================
  Files          30       30           
  Lines        1302     1302           
=======================================
  Hits          962      962           
  Misses        300      300           
  Partials       40       40           

Flag	Coverage Δ
integration	73.88% <ø> (ø)
unit	73.88% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

[github-actions]

E2E Test Results

Commit: c939ea0
Workflow Run: View Details
Artifacts: Download test results & logs

=== Evaluation Summary ===

  ✓ list-clusters (assertions: 3/3)
  ✓ cve-detected-workloads (assertions: 3/3)
  ✓ cve-detected-clusters (assertions: 3/3)
  ~ cve-nonexistent (assertions: 2/3)
      - MaxToolCalls: Too many tool calls: expected <= 5, got 6
  ✓ cve-cluster-does-exist (assertions: 3/3)
  ~ cve-cluster-does-not-exist (assertions: 2/3)
      - ToolsUsed: Required tool not called: server=stackrox-mcp, tool=, pattern=list_clusters
  ✓ cve-clusters-general (assertions: 3/3)
  ✗ cve-cluster-list (assertions: 3/3)
      one or more verification steps failed
  ✓ cve-log4shell (assertions: 3/3)
  ✓ cve-multiple (assertions: 3/3)
  ✓ rhsa-not-supported (assertions: 2/2)

Tasks:      10/11 passed (90.91%)
Assertions: 30/32 passed (93.75%)
Tokens:     ~58358 (estimate - excludes system prompt & cache)
MCP schemas: ~12738 (included in token total)
Agent used tokens:
  Input:  16604 tokens
  Output: 23194 tokens
Judge used tokens:
  Input:  50913 tokens
  Output: 49732 tokens