From 4c0d9df4d509315439ef891096481d84c1ba01e0 Mon Sep 17 00:00:00 2001
From: Evgeny Slutsky <eslutsky@redhat.com>
Date: Tue, 16 Jun 2026 07:09:13 +0200
Subject: [PATCH] CI: add GPG keys to composer package sources to fix manifest
 serialization

osbuild-composer now strictly enforces that repos with check_gpg=true
must have gpgkeys configured. The fast-datapath and rhocp-y/y1/y2
package sources were missing the gpgkeys field, causing intermittent
ManifestCreationFailed errors during edge-commit builds:

  cannot serialize pipeline "os": package "tuned" requires GPG check
  but repo "..." has no GPG keys configured

Add the Red Hat release GPG key to all RHSM-based GA package sources
that have check_gpg=true.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 test/package-sources/fast-datapath-rhel9.toml | 1 +
 test/package-sources/rhocp-y.toml             | 1 +
 test/package-sources/rhocp-y1.toml            | 1 +
 test/package-sources/rhocp-y2.toml            | 1 +
 4 files changed, 4 insertions(+)

diff --git a/test/package-sources/fast-datapath-rhel9.toml b/test/package-sources/fast-datapath-rhel9.toml
index 07db67ddf0..a913e22009 100644
--- a/test/package-sources/fast-datapath-rhel9.toml
+++ b/test/package-sources/fast-datapath-rhel9.toml
@@ -4,5 +4,6 @@ type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/fast-datapath/os"
 check_gpg = true
 check_ssl = true
+gpgkeys = ["file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"]
 system = false
 rhsm = true
diff --git a/test/package-sources/rhocp-y.toml b/test/package-sources/rhocp-y.toml
index 8fb8a5ac26..62af8c8083 100644
--- a/test/package-sources/rhocp-y.toml
+++ b/test/package-sources/rhocp-y.toml
@@ -5,6 +5,7 @@ type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/rhocp/4.{{ .Env.RHOCP_MINOR_Y }}/os"
 check_gpg = true
 check_ssl = true
+gpgkeys = ["file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"]
 system = false
 rhsm = true
 {{- else if env.Getenv "RHOCP_MINOR_Y_BETA" "" -}}
diff --git a/test/package-sources/rhocp-y1.toml b/test/package-sources/rhocp-y1.toml
index 542c2cebca..ce3f6af85b 100644
--- a/test/package-sources/rhocp-y1.toml
+++ b/test/package-sources/rhocp-y1.toml
@@ -5,6 +5,7 @@ type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/rhocp/4.{{ .Env.RHOCP_MINOR_Y1 }}/os"
 check_gpg = true
 check_ssl = true
+gpgkeys = ["file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"]
 system = false
 rhsm = true
 {{- else if env.Getenv "RHOCP_MINOR_Y1_BETA" "" -}}
diff --git a/test/package-sources/rhocp-y2.toml b/test/package-sources/rhocp-y2.toml
index d4689d19e4..12288fb4af 100644
--- a/test/package-sources/rhocp-y2.toml
+++ b/test/package-sources/rhocp-y2.toml
@@ -5,6 +5,7 @@ type = "yum-baseurl"
 url = "https://cdn.redhat.com/content/dist/layered/rhel9/{{ .Env.UNAME_M }}/rhocp/4.{{ .Env.RHOCP_MINOR_Y2 }}/os"
 check_gpg = true
 check_ssl = true
+gpgkeys = ["file:///etc/pki/rpm-gpg/RPM-GPG-KEY-redhat-release"]
 system = false
 rhsm = true
 {{- end -}}