From 37d0966c0d089b03d79e8493141fa27ed75555c9 Mon Sep 17 00:00:00 2001
From: Alejandro Gullon <agullon@redhat.com>
Date: Mon, 25 May 2026 11:19:52 +0200
Subject: [PATCH 1/2] USHIFT-6499: Switch RHEL 9.8 bootc images to GA repos

RHEL 9.8 is now GA. Replace staging registry reference with the
official registry.redhat.io image and remove pre-GA workarounds
(disabled repos, mirror repo injection, BIB localhost workaround).

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pre-commit.check-secrets: ENABLED
---
 .../group1/rhel98-test-agent.containerfile    | 11 ++-----
 .../group2/rhel98-bootc.image-bootc           |  7 +----
 test/package-sources-bootc/rhel98-mirror.repo | 31 -------------------
 3 files changed, 3 insertions(+), 46 deletions(-)
 delete mode 100644 test/package-sources-bootc/rhel98-mirror.repo

diff --git a/test/image-blueprints-bootc/el9/layer1-base/group1/rhel98-test-agent.containerfile b/test/image-blueprints-bootc/el9/layer1-base/group1/rhel98-test-agent.containerfile
index 6d156f2fdb..f96c05df69 100644
--- a/test/image-blueprints-bootc/el9/layer1-base/group1/rhel98-test-agent.containerfile
+++ b/test/image-blueprints-bootc/el9/layer1-base/group1/rhel98-test-agent.containerfile
@@ -1,19 +1,12 @@
-FROM registry.stage.redhat.io/rhel9/rhel-bootc:9.8
+FROM registry.redhat.io/rhel9/rhel-bootc:9.8
 
 # Build arguments
 ARG USHIFT_RPM_REPO_NAME=microshift-local
 ARG USHIFT_RPM_REPO_PATH=/tmp/$USHIFT_RPM_REPO_NAME
 
 # Configure the RPM repositories
-# - No EUS repositories in staging environment
-# - Disable default repositories to avoid pre-release repo access errors
 COPY --chmod=755 ./bootc-images/rpm-repo-config.sh /tmp/rpm-repo-config.sh
-RUN /tmp/rpm-repo-config.sh --disable-all && rm -f /tmp/rpm-repo-config.sh
-
-# Configure the RHEL mirror RPM repositories (for use in the staging environment)
-ARG RHEL_MIRROR_REPO_NAME=rhel98-mirror.repo
-ARG RHEL_MIRROR_REPO_PATH=/etc/yum.repos.d/$RHEL_MIRROR_REPO_NAME
-COPY --chmod=644 ./bootc-images/$RHEL_MIRROR_REPO_NAME $RHEL_MIRROR_REPO_PATH
+RUN /tmp/rpm-repo-config.sh --enable-eus && rm -f /tmp/rpm-repo-config.sh
 
 # Copy the MicroShift repository contents
 COPY ./rpm-repos/$USHIFT_RPM_REPO_NAME $USHIFT_RPM_REPO_PATH
diff --git a/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-bootc.image-bootc b/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-bootc.image-bootc
index 37c2e81fd7..5f7660fd31 100644
--- a/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-bootc.image-bootc
+++ b/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-bootc.image-bootc
@@ -1,6 +1 @@
-# TODO: Replace this by a RHEL 9.8 image when its RPM repositories are released.
-# Bootc Image Builder has a limitation does not allowing it to build ISO images
-# from containers that use repositories protected by credentials. Thus, we build
-# from the test agent container image which uses proxy for accessing repositories.
-# registry.redhat.io/rhel9/rhel-bootc:9.8
-localhost/rhel98-test-agent:latest
\ No newline at end of file
+registry.redhat.io/rhel9/rhel-bootc:9.8
diff --git a/test/package-sources-bootc/rhel98-mirror.repo b/test/package-sources-bootc/rhel98-mirror.repo
deleted file mode 100644
index 32d2d2d93a..0000000000
--- a/test/package-sources-bootc/rhel98-mirror.repo
+++ /dev/null
@@ -1,31 +0,0 @@
-[rhel-9.8-appstream]
-name = rhel-9.8-appstream
-baseurl = http://localhost:{{ .Env.WEB_SERVER_PORT }}/ocp-mirror/reposync/4.22{{ if eq .Env.UNAME_M "aarch64" }}_aarch64{{ end }}/rhel-98-appstream
-enabled = 1
-sslverify = false
-gpgcheck = 0
-# Increase the priority of the RHEL mirror baseos / appstream repositories to
-# ensure its packages take precedence over RHEL mirror early-kernel repositories,
-# but not over RHOCP beta repositories with higher priority.
-priority=60
-skip_if_unavailable = false
-
-[rhel-9.8-baseos]
-name = rhel-9.8-baseos
-baseurl = http://localhost:{{ .Env.WEB_SERVER_PORT }}/ocp-mirror/reposync/4.22{{ if eq .Env.UNAME_M "aarch64" }}_aarch64{{ end }}/rhel-98-baseos
-enabled = 1
-sslverify = false
-gpgcheck = 0
-# Increase the priority of the RHEL mirror baseos / appstream repositories to
-# ensure its packages take precedence over RHEL mirror early-kernel repositories,
-# but not over RHOCP beta repositories with higher priority.
-priority=60
-skip_if_unavailable = false
-
-[rhel-9.8-early-kernel]
-name = rhel-9.8-early-kernel
-baseurl = http://localhost:{{ .Env.WEB_SERVER_PORT }}/ocp-mirror/reposync/4.22{{ if eq .Env.UNAME_M "aarch64" }}_aarch64{{ end }}/rhel-98-early-kernel
-enabled = 1
-sslverify = false
-gpgcheck = 0
-skip_if_unavailable = false

From b90060040a4ad29786337bbcb8750be581b449c4 Mon Sep 17 00:00:00 2001
From: Alejandro Gullon <agullon@redhat.com>
Date: Mon, 25 May 2026 11:20:03 +0200
Subject: [PATCH 2/2] USHIFT-6499: OStree pipeline cleanup for RHEL 9.8 GA
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Now that RHEL 9.8 is GA:
- Re-enable GPG checks in ostree package sources (rhocp-y, rhocp-y1,
  rhocp-y2, fast-datapath) as indicated by existing TODO comments
- Fix rhel98-installer to use rhel-9.8 instead of rhel-9.7 workaround
- Remove disable_gpg_check and enable_ocp_mirror_repositories from
  configure-composer.sh — both were pre-GA RHEL workarounds
- Create rhel-9.8.json osbuild-composer config from the host OS template
  on pre-9.8 hosts so osbuild-composer recognizes rhel-9.8 as a valid
  distro for building ostree images

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

pre-commit.check-secrets: ENABLED
---
 scripts/devenv-builder/configure-composer.sh  | 83 +++----------------
 .../group2/rhel98-installer.image-installer   |  5 +-
 test/package-sources/fast-datapath-rhel9.toml |  3 +-
 test/package-sources/rhocp-y.toml             |  3 +-
 test/package-sources/rhocp-y1.toml            |  3 +-
 test/package-sources/rhocp-y2.toml            |  3 +-
 6 files changed, 16 insertions(+), 84 deletions(-)

diff --git a/scripts/devenv-builder/configure-composer.sh b/scripts/devenv-builder/configure-composer.sh
index 2b785131d4..4de872e592 100755
--- a/scripts/devenv-builder/configure-composer.sh
+++ b/scripts/devenv-builder/configure-composer.sh
@@ -4,22 +4,11 @@ set -euxo pipefail
 SCRIPTDIR="$( cd "$( dirname "${BASH_SOURCE[0]}" )" && pwd )"
 DNF_RETRY="${SCRIPTDIR}/../dnf_retry.sh"
 
-enable_copr_repositories() {
-    local -r version_id=$1
-    local -r version_id_major="$(awk -F. '{print $1}' <<< "${version_id}")"
-
-    sudo dnf copr enable -y @osbuild/osbuild-composer "rhel-${version_id_major}-$(uname -m)"
-    sudo dnf copr enable -y @osbuild/osbuild          "epel-${version_id_major}-$(uname -m)"
-}
-
 install_and_configure_composer() {
     local -r version_id=$1
     local -r version_id_major="$(awk -F. '{print $1}' <<< "${version_id}")"
 
-    # The osbuild packages may come from 'copr' repositories.
-    # They are installed separately to resolve potential RPM package dependency
-    # conflicts with the system packages.
-    "${DNF_RETRY}" "install" "--nobest osbuild osbuild-composer"
+    "${DNF_RETRY}" "install" "osbuild osbuild-composer"
     "${DNF_RETRY}" "install" \
         "git composer-cli ostree rpm-ostree \
         cockpit-composer bash-completion podman runc genisoimage \
@@ -144,59 +133,6 @@ EOF
     fi
 }
 
-disable_gpg_check() {
-    local -r composer_config=$1
-
-    sudo cp "${composer_config}" "${composer_config}.with-gpg-check"
-    sudo sed -i 's;"check_gpg": true;"check_gpg": false;g' "${composer_config}"
-}
-
-enable_ocp_mirror_repositories() {
-    local -r version_id=$1
-    local -r composer_config=$3
-
-    local version_id_ocp=$2
-    if [ "$(uname -m)" = "aarch64" ]; then
-        version_id_ocp="${version_id_ocp}_aarch64"
-    fi
-
-    # Check if OCP mirror credentials are present
-    local -r ocp_mirror_ufile="${HOME}/.ocp_mirror_username"
-    local -r ocp_mirror_pfile="${HOME}/.ocp_mirror_password"
-    if ! [ -f "${ocp_mirror_ufile}" ] || ! [ -f "${ocp_mirror_pfile}" ]; then
-        echo "WARNING: OCP mirror credentials are not present"
-        return
-    fi
-
-    # Read the OCP mirror credentials from the files
-    local -r ocp_mirror_username=$(cat "${ocp_mirror_ufile}")
-    local -r ocp_mirror_password=$(cat "${ocp_mirror_pfile}")
-    local -r version_id_short="$(tr -d '.' <<< "${version_id}")"
-
-    # Create the configuration file in the composer configuration directory
-    sudo mkdir -p "$(dirname "${composer_config}")"
-    sudo tee "${composer_config}" &>/dev/null <<EOF
-{
-  "$(uname -m)": [
-    {
-      "name": "baseos",
-      "baseurl": "https://${ocp_mirror_username}:${ocp_mirror_password}@mirror2.openshift.com/enterprise/reposync/${version_id_ocp}/rhel-${version_id_short}-baseos/",
-      "rhsm": false,
-      "check_gpg": false
-    },
-    {
-      "name": "appstream",
-      "baseurl": "https://${ocp_mirror_username}:${ocp_mirror_password}@mirror2.openshift.com/enterprise/reposync/${version_id_ocp}/rhel-${version_id_short}-appstream/",
-      "rhsm": false,
-      "check_gpg": false
-    }
-  ]
-}
-EOF
-    sudo chmod 0640 "${composer_config}"
-    sudo chgrp _osbuild-composer "${composer_config}"
-}
-
 #
 # Main
 #
@@ -205,7 +141,6 @@ EOF
 source /etc/os-release
 
 # shellcheck disable=SC2153
-enable_copr_repositories       "${VERSION_ID}"
 install_and_configure_composer "${VERSION_ID}"
 check_umask_and_permissions
 
@@ -213,12 +148,16 @@ check_umask_and_permissions
 enable_rt_repositories          "${VERSION_ID}" "/etc/osbuild-composer/repositories/rhel-${VERSION_ID}.json"
 enable_beta_or_eus_repositories "${VERSION_ID}" "/etc/osbuild-composer/repositories/rhel-${VERSION_ID}.json"
 
-# Disable GPG check for all repositories to work around the issue with signing
-# across different OS versions due to the introduction of post-quantum keys
-disable_gpg_check "/etc/osbuild-composer/repositories/rhel-${VERSION_ID}.json"
-
-# Configure OCP mirror repositories for pre-release versions
-enable_ocp_mirror_repositories "9.8" "4.22" "/etc/osbuild-composer/repositories/rhel-9.8.json"
+# Create the RHEL 9.8 composer configuration from the host OS template when
+# the host is not yet running RHEL 9.8, so osbuild-composer can build 9.8 images.
+if [[ "${VERSION_ID}" != "9.8" ]]; then
+    sudo cp "/etc/osbuild-composer/repositories/rhel-${VERSION_ID}.json" \
+            "/etc/osbuild-composer/repositories/rhel-9.8.json"
+    sudo sed -i "s|/${VERSION_ID}/|/9.8/|g" "/etc/osbuild-composer/repositories/rhel-9.8.json"
+    # Disable GPG check for 9.8 repos — the RHEL 9.6 host's rpmkeys cannot
+    # handle RHEL 9.8's post-quantum key 4 until the host is upgraded.
+    sudo sed -i 's/"check_gpg": true/"check_gpg": false/g' "/etc/osbuild-composer/repositories/rhel-9.8.json"
+fi
 
 # This step must come in the end to make sure all the potential configuration
 # changes are picked up by the service
diff --git a/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-installer.image-installer b/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-installer.image-installer
index f19d87fe99..d87cb287d3 100644
--- a/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-installer.image-installer
+++ b/test/image-blueprints-bootc/el9/layer1-base/group2/rhel98-installer.image-installer
@@ -1,4 +1 @@
-
-# TODO: Replace this by a RHEL 9.8 image when its RPM repositories are released.
-# rhel-9.8
-rhel-9.7
+rhel-9.8
diff --git a/test/package-sources/fast-datapath-rhel9.toml b/test/package-sources/fast-datapath-rhel9.toml
index ab283a0be0..07db67ddf0 100644
--- a/test/package-sources/fast-datapath-rhel9.toml
+++ b/test/package-sources/fast-datapath-rhel9.toml
@@ -2,8 +2,7 @@ id = "fast-datapath"
 name = "Fast Datapath for RHEL 9"
 type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/fast-datapath/os"
-# Reenable GPG check when build platform switches to RHEL 9.8
-check_gpg = false
+check_gpg = true
 check_ssl = true
 system = false
 rhsm = true
diff --git a/test/package-sources/rhocp-y.toml b/test/package-sources/rhocp-y.toml
index 42bfdaa248..9acdf90e06 100644
--- a/test/package-sources/rhocp-y.toml
+++ b/test/package-sources/rhocp-y.toml
@@ -3,8 +3,7 @@ id = "rhocp-y"
 name = "Red Hat OpenShift Container Platform {{ .Env.RHOCP_MAJOR_Y }}.{{ .Env.RHOCP_MINOR_Y }} for RHEL 9"
 type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/rhocp/{{ .Env.RHOCP_MAJOR_Y }}.{{ .Env.RHOCP_MINOR_Y }}/os"
-# Reenable GPG check when build platform switches to RHEL 9.8
-check_gpg = false
+check_gpg = true
 check_ssl = true
 system = false
 rhsm = true
diff --git a/test/package-sources/rhocp-y1.toml b/test/package-sources/rhocp-y1.toml
index df59e32c52..efb24b830c 100644
--- a/test/package-sources/rhocp-y1.toml
+++ b/test/package-sources/rhocp-y1.toml
@@ -3,8 +3,7 @@ id = "rhocp-y1"
 name = "Red Hat OpenShift Container Platform {{ .Env.RHOCP_MAJOR_Y1 }}.{{ .Env.RHOCP_MINOR_Y1 }} for RHEL 9"
 type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/rhocp/{{ .Env.RHOCP_MAJOR_Y1 }}.{{ .Env.RHOCP_MINOR_Y1 }}/os"
-# Reenable GPG check when build platform switches to RHEL 9.8
-check_gpg = false
+check_gpg = true
 check_ssl = true
 system = false
 rhsm = true
diff --git a/test/package-sources/rhocp-y2.toml b/test/package-sources/rhocp-y2.toml
index 52621bab35..577a96b575 100644
--- a/test/package-sources/rhocp-y2.toml
+++ b/test/package-sources/rhocp-y2.toml
@@ -3,8 +3,7 @@ id = "rhocp-y2"
 name = "Red Hat OpenShift Container Platform {{ .Env.RHOCP_MAJOR_Y2 }}.{{ .Env.RHOCP_MINOR_Y2 }} for RHEL 9"
 type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/rhocp/{{ .Env.RHOCP_MAJOR_Y2 }}.{{ .Env.RHOCP_MINOR_Y2 }}/os"
-# Reenable GPG check when build platform switches to RHEL 9.8
-check_gpg = false
+check_gpg = true
 check_ssl = true
 system = false
 rhsm = true