LCORE-858: konflux - correct RPM repo id

[raptorsun]

Description

This PR resolves the EC issue in release pipeline

  ✕ [Violation] rpm_repos.ids_known
    ImageRef: quay.io/redhat-user-workloads/lightspeed-core-tenant/lightspeed-stack@sha256:db14c15df3527cc07e91a4566e6112994be9234df31caa1bf3be8771223d18b4
    Reason: RPM repo id check failed: An RPM component in the SBOM specified an unknown or disallowed repository_id:
    pkg:rpm/redhat/ed@1.14.2-12.el9?arch=aarch64&checksum=sha256:3bce4ce6243886c448e58f589b79e3ac829fcde53d1ff13d5906a8cdc22be091&repository_id=ubi-9-baseos-rpms
    (37 additional similar violations not separately listed)
    Term:
    pkg:rpm/redhat/ed@1.14.2-12.el9?arch=aarch64&checksum=sha256:3bce4ce6243886c448e58f589b79e3ac829fcde53d1ff13d5906a8cdc22be091&repository_id=ubi-9-baseos-rpms
    Title: All rpms have known repo ids
    Description: Each RPM package listed in an SBOM must specify the repository id that it comes from, and that repository id must
    be present in the list of known and permitted repository ids. Currently this is rule enforced only for SBOM components created
    by cachi2. To exclude this rule add
    "rpm_repos.ids_known:pkg:rpm/redhat/ed@1.14.2-12.el9?arch=aarch64&checksum=sha256:3bce4ce6243886c448e58f589b79e3ac829fcde53d1ff13d5906a8cdc22be091&repository_id=ubi-9-baseos-rpms"
    to the `exclude` section of the policy configuration.
    Solution: Ensure every rpm comes from a known and permitted repository, and that the data in the SBOM correctly records that.

Type of change

• Refactor
• New feature
• Bug fix
• CVE fix
• Optimization
• Documentation Update
• Configuration Update
• Bump-up service version
• Bump-up dependent library
• Bump-up library or tool used for development (does not change the final image)
• CI configuration change
• Konflux configuration change
• Unit tests improvement
• Integration tests improvement
• End to end tests improvement

Tools used to create PR

Identify any AI code assistants used in this PR (for transparency and review context)

• Assisted-by: (e.g., Claude, CodeRabbit, Ollama, etc., N/A if not used)
• Generated by: (e.g., tool name and version; N/A if not used)

Related Tickets & Documents

• Related Issue # LCORE-858
• Closes #

Checklist before requesting a review

• I have performed a self-review of my code.
• PR has passed all pre-merge test jobs.
• If it is a core feature, I have added thorough tests.

Testing

• Please provide detailed steps to perform tests related to this code change.
• How were the fix/results from this change verified? Please provide relevant screenshots or results.

Summary by CodeRabbit

• Chores
  • Converted repository IDs to architecture-specific names and updated repo headers for consistency.
  • Reassigned many packages between base OS and appstream sets and refreshed versions, sizes, checksums, and metadata (no behavior changes).
  • Adjusted runtime package set and package selections.
  • Simplified container install step to use default repos and adjusted build-user placement.

_{✏️ Tip: You can customize this high-level summary in your review settings.}

[coderabbitai]

Walkthrough

Repo IDs were made architecture-specific (per-$basearch) in ubi.repo; rpms.lock.yaml was restructured with many packages moved/updated to arch-specific repoids, new evr/sourcerpm, URLs, sizes, and checksums for aarch64 and x86_64; Containerfile package-install steps were simplified/adjusted around repo usage. No control-flow changes.

Changes

Cohort / File(s)	Change Summary
Repository config ubi.repo	Repository section headers and IDs renamed from static names (e.g., ubi-9-baseos-rpms, ubi-9-appstream-rpms, ubi-9-codeready-builder-*.rpms) to per-arch forms using $basearch (e.g., ubi-9-for-$basearch-baseos-rpms, ubi-9-for-$basearch-appstream-rpms, codeready-builder-for-ubi-9-$basearch-*.rpms). Names/headers updated; baseurls, gpg keys, and enable flags left unchanged.
Package lockfile rpms.lock.yaml	Large reorganization: many package entries moved/added under arch-specific repoids (ubi-9-for-*-baseos-rpms, ubi-9-for-*-appstream-rpms) with updated evr/sourcerpm, new URLs, sizes, and checksums across both aarch64 and x86_64. Core packages (gcc/cpp, glibc, kernel-headers, libasan/ubsan/gomp, systemd, openssl, util-linux, etc.) and numerous baseos/appstream components updated. Lockfile structure preserved.
Container build Containerfile	Adjusted package installation step: removed explicit enabling of fixed repo IDs and simplified dnf install -y ... usage; introduced/ensured USER root placement before install block. The file no longer depends on the old static repo enablement flags (repo invocation simplified).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~25 minutes

• Review rpms.lock.yaml for correctness of updated URLs, sizes, and checksums (high-risk for mismatches).
• Verify evr and sourcerpm values align with expected package provenance for both architectures.
• Confirm any tooling or scripts that referenced old static repo IDs still work with the new per-arch IDs in ubi.repo.
• Check the Containerfile install step behaves as intended in CI/build environments (repo enablement/substitution and USER placement).

Pre-merge checks and finishing touches

✅ Passed checks (3 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title 'LCORE-858: konflux - correct RPM repo id' directly addresses the main change: updating RPM repository IDs in the Konflux configuration from legacy generic IDs to arch-specific IDs to resolve SBOM validation violations.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment

---

📜 Recent review details

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

📥 Commits

Reviewing files that changed from the base of the PR and between abb38ae and 56ed982.

📒 Files selected for processing (3)

• Containerfile (1 hunks)
• rpms.lock.yaml (1 hunks)
• ubi.repo (1 hunks)

⏰ Context from checks skipped due to timeout of 90000ms. You can increase the timeout in your CodeRabbit configuration to a maximum of 15 minutes (900000ms). (4)

• GitHub Check: build-pr
• GitHub Check: Konflux kflux-prd-rh02 / lightspeed-stack-on-pull-request
• GitHub Check: e2e_tests (ci)
• GitHub Check: e2e_tests (azure)

🔇 Additional comments (4)

ubi.repo (1)

1-62: Per‑$basearch repo IDs align with lockfile naming; verify Konflux allowed‑list matches

The repo sections now use the per‑arch UBI naming:

• ubi-9-for-$basearch-{baseos,appstream}-rpms (and debug/source)
• codeready-builder-for-ubi-9-$basearch-rpms (and debug/source)

Base URLs, GPG config, and enablement flags remain consistent and look correct. After $basearch substitution, these IDs line up with the repoid values in rpms.lock.yaml.

This is what the Konflux rpm_repos.ids_known rule expects, as long as its allowed list uses the same strings.

Please double‑check that:

• The Konflux configuration’s list of permitted repo IDs matches these new section names verbatim for both aarch64 and x86_64, and
• There are no remaining references to the old ubi-9-{baseos,appstream}-rpms IDs in any other Konflux or pipeline config.

Containerfile (1)

14-19: Confirm repo selection and SBOM entries in Konflux/cachi2 builds

Removing the explicit --enablerepo flags means gcc will resolve from whatever repos are enabled by default in the image plus any mounted ubi.repo. This changes repo selection semantics compared to the prior explicit repo pins, particularly if codeready or other supplementary repos are involved.

Verify that:

• gcc is resolved from the intended UBI repos under Konflux/cachi2
• SBOM entries for gcc and its dependencies have repository_id values matching your allowed list

To sanity-check repo availability during the build, you can add a temporary RUN dnf repolist -v | head -50 before the gcc installation to inspect active repos.

rpms.lock.yaml (2)

7-329: aarch64 lock entries: repo IDs and URLs are consistent; verify lockfile regeneration scope

The aarch64 entries show consistent repoid values using the arch-specific pattern (ubi-9-for-aarch64-appstream-rpms and ubi-9-for-aarch64-baseos-rpms), with URLs properly aligned to appstream/baseos segments. The example package (ed-1.14.2-12.el9) now correctly references ubi-9-for-aarch64-baseos-rpms.

Several packages (glibc-devel, systemd, openssl, pam, util-linux) have updated evr and checksums, indicating this is a full lock refresh to newer UBI content, not just a repo ID rename.

Confirm:

• The lockfile was regenerated cleanly in a single cachi2 run with the updated ubi.repo
• The x86_64 block follows the same arch-specific repoid pattern
• No legacy repo ID patterns remain elsewhere in the repository

---

333-647: x86_64 lock entries: repo IDs match new naming; mirror aarch64 behavior

The x86_64 entries correctly use ubi-9-for-x86_64-appstream-rpms and ubi-9-for-x86_64-baseos-rpms repoid values, matching the x86_64 appstream/baseos paths in the URLs. The package set and EVR bumps (glibc*, systemd*, openssl, pam, util-linux, etc.) mirror the aarch64 side, keeping both architectures synchronized to the same UBI errata level. No mismatches between URL architecture and repoid naming are present.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[tisnik]

LGTM