From 44e0d9ff74eca90906ca0d2acb921503f651e307 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:48 -0400
Subject: [PATCH 1/9] ci/prow-entrypoint: stop building okd-c9s variant

It's not built anywhere but in that script currently. OKD doesn't care
about this since they're targeting the layered model, and we already
only build the c9s variant in the prod pipeline.

So stop building this in CI and just instead build the c9s variant.
---
 ci/prow-entrypoint.sh | 8 ++++----
 1 file changed, 4 insertions(+), 4 deletions(-)

diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index 294d01372..3ca471da3 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -81,7 +81,7 @@ cosa_build() {
 # Build QEMU image and run all kola tests
 kola_test_qemu() {
     cosa buildextend-qemu
-    cosa kola run --parallel 2 --output-dir ${ARTIFACT_DIR:-/tmp}/kola --rerun --allow-rerun-success tags=needs-internet
+    cosa kola run --parallel 2 --output-dir ${ARTIFACT_DIR:-/tmp}/kola --rerun --allow-rerun-success tags=needs-internet "$@"
 }
 
 # Build metal, metal4k & live images and run kola tests
@@ -301,13 +301,13 @@ main() {
             ;;
         "scos-9-build-test-qemu")
             setup_user
-            cosa_init "okd-c9s"
+            cosa_init "c9s"
             cosa_build
-            kola_test_qemu
+            kola_test_qemu --tag '!openshift'
             ;;
         "scos-9-build-test-metal")
             setup_user
-            cosa_init "okd-c9s"
+            cosa_init "c9s"
             cosa_build
             kola_test_metal
             ;;

From 4df39e7eacb76c5fd924e98bddce4657dc972021 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:49 -0400
Subject: [PATCH 2/9] extensions/Dockerfile: only call get-ocp-repo.sh in
 OpenShift CI

We want to be able to build this container directly via `podman build`
in production, but the way this conditional is structured breaks things
because we're always calling `get-ocp-repo.sh`, which is only useful
when building in OpenShift CI.

Really, the conditional there was not correct. We should check for
`OPENSHIFT_CI` instead like in the main `Containerfile` for the
node image, and set that same build arg in openshift/release. The
`--create-gpg-keys` case was needed when building `okd-c9s` in CI, but
we don't do that anymore, so drop it and drop the switch from the script
since it no longer has a user.
---
 ci/get-ocp-repo.sh    | 3 +--
 extensions/Dockerfile | 4 ++--
 2 files changed, 3 insertions(+), 4 deletions(-)

diff --git a/ci/get-ocp-repo.sh b/ci/get-ocp-repo.sh
index dc795daef..4fb06fa75 100755
--- a/ci/get-ocp-repo.sh
+++ b/ci/get-ocp-repo.sh
@@ -73,7 +73,7 @@ cosa_workdir=
 ocp_manifest=
 output_dir=
 rc=0
-options=$(getopt --options h --longoptions help,cosa-workdir:,ocp-layer:,output-dir:,cleanup,create-gpg-keys -- "$@") || rc=$?
+options=$(getopt --options h --longoptions help,cosa-workdir:,ocp-layer:,output-dir:,cleanup -- "$@") || rc=$?
 [ $rc -eq 0 ] || print_usage_and_exit
 eval set -- "$options"
 while [ $# -ne 0 ]; do
@@ -83,7 +83,6 @@ while [ $# -ne 0 ]; do
         --ocp-layer) ocp_manifest=$2; shift;;
         --output-dir) output_dir=$2; shift;;
         --cleanup) cleanup_repos; exit 0;;
-        --create-gpg-keys) create_gpg_keys; exit 0;;
         --) break;;
         *) echo "$0: invalid argument: $1" >&2; exit 1;;
     esac
diff --git a/extensions/Dockerfile b/extensions/Dockerfile
index 6d3168deb..6fe3f776a 100644
--- a/extensions/Dockerfile
+++ b/extensions/Dockerfile
@@ -6,9 +6,9 @@ FROM registry.ci.openshift.org/rhcos-devel/rhel-coreos:latest as os
 RUN mkdir /os
 WORKDIR /os
 ADD . .
-ARG COSA
+ARG OPENSHIFT_CI=0
 ARG VARIANT
-RUN if [[ -z "$COSA" ]] ; then ci/get-ocp-repo.sh --ocp-layer packages-openshift.yaml; else ci/get-ocp-repo.sh --create-gpg-keys; fi
+RUN if [ "${OPENSHIFT_CI}" != 0 ]; then ci/get-ocp-repo.sh --ocp-layer packages-openshift.yaml; fi
 RUN if [[ -n "${VARIANT}" ]]; then MANIFEST="manifest-${VARIANT}.yaml"; EXTENSIONS="extensions-${VARIANT}.yaml"; else MANIFEST="manifest.yaml"; EXTENSIONS="extensions.yaml"; fi && rpm-ostree compose extensions --rootfs=/ --output-dir=/usr/share/rpm-ostree/extensions/ ./"${MANIFEST}" ./"${EXTENSIONS}"
 
 ## Creates the repo metadata for the extensions.

From 4bba6b70744afcc0d819c423843101b6306b9c04 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:50 -0400
Subject: [PATCH 3/9] extensions/Dockerfile: set default value for `VARIANT`

I think that's implied but it fixes my editor's syntax highlighting.
---
 extensions/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/Dockerfile b/extensions/Dockerfile
index 6fe3f776a..68023be8e 100644
--- a/extensions/Dockerfile
+++ b/extensions/Dockerfile
@@ -7,7 +7,7 @@ RUN mkdir /os
 WORKDIR /os
 ADD . .
 ARG OPENSHIFT_CI=0
-ARG VARIANT
+ARG VARIANT=""
 RUN if [ "${OPENSHIFT_CI}" != 0 ]; then ci/get-ocp-repo.sh --ocp-layer packages-openshift.yaml; fi
 RUN if [[ -n "${VARIANT}" ]]; then MANIFEST="manifest-${VARIANT}.yaml"; EXTENSIONS="extensions-${VARIANT}.yaml"; else MANIFEST="manifest.yaml"; EXTENSIONS="extensions.yaml"; fi && rpm-ostree compose extensions --rootfs=/ --output-dir=/usr/share/rpm-ostree/extensions/ ./"${MANIFEST}" ./"${EXTENSIONS}"
 

From 4c29e4f97a56863d915aab462ec6bad1ff34e036 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:51 -0400
Subject: [PATCH 4/9] extensions/Dockerfile: support yumrepos secret

Just like the main `Containerfile` for the layered node image, also
support a `yumrepos` secret being passed in for injecting repo data.

This will be used for building this container in production. (Again,
like we do for the node image.)
---
 extensions/Dockerfile | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/extensions/Dockerfile b/extensions/Dockerfile
index 68023be8e..22b605126 100644
--- a/extensions/Dockerfile
+++ b/extensions/Dockerfile
@@ -9,7 +9,7 @@ ADD . .
 ARG OPENSHIFT_CI=0
 ARG VARIANT=""
 RUN if [ "${OPENSHIFT_CI}" != 0 ]; then ci/get-ocp-repo.sh --ocp-layer packages-openshift.yaml; fi
-RUN if [[ -n "${VARIANT}" ]]; then MANIFEST="manifest-${VARIANT}.yaml"; EXTENSIONS="extensions-${VARIANT}.yaml"; else MANIFEST="manifest.yaml"; EXTENSIONS="extensions.yaml"; fi && rpm-ostree compose extensions --rootfs=/ --output-dir=/usr/share/rpm-ostree/extensions/ ./"${MANIFEST}" ./"${EXTENSIONS}"
+RUN --mount=type=secret,id=yumrepos,target=/os/secret.repo if [[ -n "${VARIANT}" ]]; then MANIFEST="manifest-${VARIANT}.yaml"; EXTENSIONS="extensions-${VARIANT}.yaml"; else MANIFEST="manifest.yaml"; EXTENSIONS="extensions.yaml"; fi && rpm-ostree compose extensions --rootfs=/ --output-dir=/usr/share/rpm-ostree/extensions/ ./"${MANIFEST}" ./"${EXTENSIONS}"
 
 ## Creates the repo metadata for the extensions.
 ## This uses Fedora as a lowest-common-denominator because it will work on

From 3d97d3062c9c452219c56bd0471ec9fb7b278352 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:52 -0400
Subject: [PATCH 5/9] extensions/Dockerfile: tweak `extensions.json` generation

Rather than repeating the `> /tmp/extensions.json`, just do it once by
redirecting the overall output of the command list and pipeline.

Although not strictly necessary by bash operator precedence rules, add
parentheses for the inner `dnf repoquery | sed` pipeline because other-
wise, one is left wondering what the operator precedence rules are.
---
 extensions/Dockerfile | 7 +++----
 1 file changed, 3 insertions(+), 4 deletions(-)

diff --git a/extensions/Dockerfile b/extensions/Dockerfile
index 22b605126..a9609af23 100644
--- a/extensions/Dockerfile
+++ b/extensions/Dockerfile
@@ -24,12 +24,11 @@ RUN createrepo_c /usr/share/rpm-ostree/extensions/
 # Generate extensions.json for meta.json, written to a bind-mounted path during the build.
 # Use dnf repoquery to print 'name: version,' for each RPM
 # sed to remove the comma from the last RPM
-RUN sh -c 'echo "{" > /tmp/extensions.json && \
-dnf repoquery --repofrompath=extensions,/usr/share/rpm-ostree/extensions/ \
+RUN (echo "{" && \
+(dnf repoquery --repofrompath=extensions,/usr/share/rpm-ostree/extensions/ \
   --quiet --disablerepo=* --enablerepo=extensions \
   --queryformat "\"%{name}\": \"%{evr}.%{arch}\"," | \
-sed "$ s/,$//" >> /tmp/extensions.json && \
-echo "}" >> /tmp/extensions.json'
+sed "$ s/,$//") && echo "}") >> /tmp/extensions.json
 
 ## Final container that has the extensions repo dir
 FROM registry.access.redhat.com/ubi9/ubi:latest

From 31816acb1ae377c9c48f1e4bc70fbf63cf4adc2d Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:53 -0400
Subject: [PATCH 6/9] extensions/Dockerfile: add extensions.json to last layer

Just like 6241505 ("Containerfile: add metadata in last layer of node
image"), we want to make it easy for anyone but particularly ART to
query metadata about the extensions container.

Instead of generating `extensions.json` but assuming it's a bind-mount,
directly put it in the final container image. In the cosa path, we'll keep
propagating that info up to the build's `meta.json` to not regress, but
now at least in the container-native flow, we also have that metadata
accessible either by doing an `oc image extract` or a
`podman run $img cat /path/to/extensions.json`.
---
 extensions/Dockerfile | 7 +++++--
 1 file changed, 5 insertions(+), 2 deletions(-)

diff --git a/extensions/Dockerfile b/extensions/Dockerfile
index a9609af23..b78273bca 100644
--- a/extensions/Dockerfile
+++ b/extensions/Dockerfile
@@ -21,15 +21,18 @@ RUN rm -f /etc/yum.repos.d/*.repo \
 RUN dnf install -y createrepo_c
 RUN createrepo_c /usr/share/rpm-ostree/extensions/
 
-# Generate extensions.json for meta.json, written to a bind-mounted path during the build.
+# Generate extensions.json for meta.json.
 # Use dnf repoquery to print 'name: version,' for each RPM
 # sed to remove the comma from the last RPM
 RUN (echo "{" && \
 (dnf repoquery --repofrompath=extensions,/usr/share/rpm-ostree/extensions/ \
   --quiet --disablerepo=* --enablerepo=extensions \
   --queryformat "\"%{name}\": \"%{evr}.%{arch}\"," | \
-sed "$ s/,$//") && echo "}") >> /tmp/extensions.json
+sed "$ s/,$//") && echo "}") >> /usr/share/rpm-ostree/extensions.json
 
 ## Final container that has the extensions repo dir
 FROM registry.access.redhat.com/ubi9/ubi:latest
 COPY --from=builder /usr/share/rpm-ostree/extensions/ /usr/share/rpm-ostree/extensions/
+# Make this the last layer, this is similar to the metalayer trick in the node
+# image, but this one is specific to rpm-ostree extensions.
+COPY --from=builder /usr/share/rpm-ostree/extensions.json /usr/share/rpm-ostree/extensions.json

From eb0b37f712ae7d3d363a3be71e0df54c7adc5695 Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Mon, 17 Mar 2025 10:22:54 -0400
Subject: [PATCH 7/9] scripts/generate-metadata: skip `gpg-pubkey` rpmdb
 entries

Those aren't real packages so don't include it in the metadata to not
add confusion.
---
 scripts/generate-metadata | 4 ++++
 1 file changed, 4 insertions(+)

diff --git a/scripts/generate-metadata b/scripts/generate-metadata
index 9aa26de91..bf463e2d3 100755
--- a/scripts/generate-metadata
+++ b/scripts/generate-metadata
@@ -42,6 +42,10 @@ def get_rpmdb_pkglist():
     rpmdb = []
     for line in out.splitlines():
         n, e, v, r, a = line.split()
+        if n == 'gpg-pubkey':
+            # those aren't real packages, it's just how rpm represents imported
+            # GPG keys
+            continue
         # canonicalize none to 0 to match rpm-ostree semantics
         if e == '(none)':
             e = '0'

From 4a9510de413c19921a2922d698cb59e48c8b8c4c Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 18 Mar 2025 16:23:34 -0400
Subject: [PATCH 8/9] ci/prow-entrypoint: drop "build"/"init-and-build-default"
 verbs

This has been around for a while but isn't used anywhere AFAICT. Just
nuke it.
---
 ci/prow-entrypoint.sh | 4 ----
 1 file changed, 4 deletions(-)

diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index 3ca471da3..e7791fce1 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -270,10 +270,6 @@ main() {
             cosa_init "$2"
             prepare_repos
             ;;
-        "build" | "init-and-build-default")  # TODO: change prow job to use init-and-build-default
-            cosa_init "ocp-rhel-9.6"
-            cosa_build
-            ;;
         # this is called by cosa's CI
         "rhcos-cosa-prow-pr-ci")
             setup_user

From 12e735481b6059a36296cd42f46bf0ff504ae8ee Mon Sep 17 00:00:00 2001
From: Jonathan Lebon <jonathan@jlebon.com>
Date: Tue, 18 Mar 2025 22:16:53 -0400
Subject: [PATCH 9/9] ci/prow-entrypoint: build extensions in ocp-rhel-9.6 QEMU
 tests only

It seems unnecessary to build it in both the `metal` and `qemu` path.
Also this implicitly stops building it in the `c9s` tests, where it
doesn't make sense.
---
 ci/prow-entrypoint.sh | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/ci/prow-entrypoint.sh b/ci/prow-entrypoint.sh
index e7791fce1..5ed7c2148 100755
--- a/ci/prow-entrypoint.sh
+++ b/ci/prow-entrypoint.sh
@@ -74,7 +74,9 @@ cosa_build() {
     cosa fetch
     # Only build the ostree image by default
     cosa build ostree
-    # Build extensions container
+}
+
+cosa_build_extensions() {
     cosa buildextend-extensions-container
 }
 
@@ -275,12 +277,14 @@ main() {
             setup_user
             cosa_init "ocp-rhel-9.6"
             cosa_build
+            cosa_build_extensions
             kola_test_qemu
             ;;
         "rhcos-9-build-test-qemu")
             setup_user
             cosa_init "ocp-rhel-9.6"
             cosa_build
+            cosa_build_extensions
             kola_test_qemu
             ;;
         "rhcos-9-build-test-metal")