ROX-32922: Add hermetic builds for Konflux

.github/renovate.json5

@@ -28,13 +28,20 @@
     // - gomod: intentionally omitted (handled by Dependabot)
     // - tekton: keeps Konflux pipeline tasks up-to-date (MintMaker-specific knowledge, Dependabot cannot do this)
     "dockerfile",
+    "rpm-lockfile",
     "tekton",
   ],
   "dockerfile": {
     "includePaths": [
       "konflux.Dockerfile",
     ],
   },
+  "rpm-lockfile": {
+    "schedule": [
+      // Duplicate the schedule here because Konflux global config may have a special override for rpm-lockfile.
+      "* 3-7 * * *",
+    ],
+  },
   "tekton": {
     "schedule": [
       // Duplicate the schedule here because Konflux global config may have a special override for tekton.

.tekton/acs-mcp-server-pull-request.yaml

@@ -42,6 +42,14 @@ spec:
     value: 5d
   - name: dockerfile
     value: konflux.Dockerfile
+  - name: hermetic
+    value: 'true'
+  - name: prefetch-input
+    value: |
+      [
+        { "type": "gomod", "path": "." },
+        { "type": "rpm", "path": "." }
+      ]
   - name: clone-depth
     value: '0'
   - name: clone-fetch-tags

.tekton/acs-mcp-server-push.yaml

@@ -45,7 +45,13 @@ spec:
   - name: dockerfile
     value: konflux.Dockerfile
   - name: hermetic
-    value: 'false'
+    value: 'true'
+  - name: prefetch-input
+    value: |
+      [
+        { "type": "gomod", "path": "." },
+        { "type": "rpm", "path": "." }
+      ]
   - name: build-source-image
     value: 'true'
   - name: build-image-index

.tekton/basic-component-pipeline.yaml

@@ -160,6 +160,8 @@ spec:
       value: $(params.output-image-repo):konflux-$(params.revision).prefetch
     - name: ociArtifactExpiresAfter
       value: $(params.oci-artifact-expires-after)
+    - name: ACTIVATION_KEY
+      value: subscription-manager-activation-key-prod
     runAfter:
     - clone-repository
     taskRef:

Makefile

@@ -112,7 +112,9 @@ shell-lint: ## Run shellcheck on shell scripts
 
 .PHONY: renovate-validate
 renovate-validate: ## Validate .github/renovate.json5 configuration
-	$(DOCKER_CMD) run --rm -it --entrypoint=renovate-config-validator -v "$(shell pwd)/.github":/mnt_github -w /mnt_github renovate/renovate --strict
+	# Using MintMaker's Renovate image instead of the standard renovate/renovate because it includes
+	# the rpm-lockfile manager which is a MintMaker-specific extension unknown to the standard image.
+	$(DOCKER_CMD) run --rm -it --entrypoint=renovate-config-validator -v "$(shell pwd)/.github":/mnt_github -w /mnt_github quay.io/konflux-ci/mintmaker-renovate-image:latest --strict
 
 .PHONY: actionlint
 actionlint: ## Run actionlint on GitHub Actions workflows

konflux.Dockerfile

@@ -11,12 +11,6 @@ ARG PRODUCT_DISPLAY_NAME="Red Hat Advanced Cluster Security (ACS)"
 # Set working directory
 WORKDIR /workspace
 
-# Copy go module files first for better layer caching
-COPY go.mod go.sum ./
-
-# Download dependencies (cached layer)
-RUN go mod download
-
 # Copy source code
 COPY . .
 

rpms.in.yaml

@@ -0,0 +1,13 @@
+packages:
+  - ca-certificates
+  - openssl
+contentOrigin:
+  repofiles:
+    - rpms.rhel9.repo
+context:
+  bare: true
+arches:
+  - aarch64
+  - ppc64le
+  - s390x
+  - x86_64