From 292f22342fdf550174823c9784f7a40f6df5772d Mon Sep 17 00:00:00 2001
From: adobes1 <adobes@redhat.com>
Date: Tue, 2 Jun 2026 12:12:25 +0200
Subject: [PATCH] Build ose-machine-os-images hermetically

Switch to rpm-lockfile-prototype backend for automatic transitive RPM
dependency resolution. Add RHCOS ISO URLs as Cachi2 generic artifacts
so they are prefetched instead of downloaded at build time. Remove
network_mode: open.

ISO URLs sourced from the installer image's embedded stream JSON
(build 9.6.20260112-0). Temporary url_pull added for testing.

rh-pre-commit.version: 2.3.2
rh-pre-commit.check-secrets: ENABLED
---
 images/ose-machine-os-images.yml | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/images/ose-machine-os-images.yml b/images/ose-machine-os-images.yml
index fdd8b363f9..194ce35215 100644
--- a/images/ose-machine-os-images.yml
+++ b/images/ose-machine-os-images.yml
@@ -31,24 +31,24 @@ payload_name: machine-os-images
 owners:
 - metal-platform@redhat.com
 konflux:
-  network_mode: open  # fetch_image.sh script requires network access to download images in hermetic env - ART-14122
   vm_override:
     # ref thread: https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1743022042311039
     # can be removed after whilelist is in
     x86_64: linux/amd64
   cachi2:
     lockfile:
-      rpms:
-      - device-mapper
-      - device-mapper-libs
-      - s390utils-core
-      - coreos-installer-0.21.0-3.el9_4
-      - cryptsetup-libs-2.6.0-3.el9
-      - jq-1.6-16.el9_4.1
-      - kbd-2.4.0-9.el9
-      - kbd-legacy-2.4.0-9.el9
-      - kbd-misc-2.4.0-9.el9
-      - kmod-28-9.el9
-      - kpartx-0.8.7-27.el9_4.2
-      - oniguruma-6.9.6-1.el9.5
-      - systemd-udev-252-32.el9_4.7
\ No newline at end of file
+      backend: rpm-lockfile-prototype
+    artifact_lockfile:
+      # RHCOS ISO URLs sourced from openshift/installer repo:
+      # data/data/coreos/rhcos.json
+      # These are the same URLs that openshift-install coreos print-stream-json outputs.
+      # Whenever it changes, update these URLs to match .architectures.{arch}.artifacts.metal.formats.iso.disk.location
+      resources:
+      - url: https://rhcos.mirror.openshift.com/art/storage/prod/streams/rhel-9.6/builds/9.6.20260112-0/x86_64/rhcos-9.6.20260112-0-live-iso.x86_64.iso
+        filename: coreos-x86_64.iso
+      - url: https://rhcos.mirror.openshift.com/art/storage/prod/streams/rhel-9.6/builds/9.6.20260112-0/aarch64/rhcos-9.6.20260112-0-live-iso.aarch64.iso
+        filename: coreos-aarch64.iso
+      - url: https://rhcos.mirror.openshift.com/art/storage/prod/streams/rhel-9.6/builds/9.6.20260112-0/ppc64le/rhcos-9.6.20260112-0-live-iso.ppc64le.iso
+        filename: coreos-ppc64le.iso
+      - url: https://rhcos.mirror.openshift.com/art/storage/prod/streams/rhel-9.6/builds/9.6.20260112-0/s390x/rhcos-9.6.20260112-0-live-iso.s390x.iso
+        filename: coreos-s390x.iso