diff --git a/config.yaml b/config.yaml
index 1830d6b..12c4d0a 100644
--- a/config.yaml
+++ b/config.yaml
@@ -47,6 +47,7 @@ actions:
- modify_release:
- suffix: ".alma.1"
enabled: true
+ auto_increment: true
- changelog_entry:
- name: "Andrew Lukoshko"
diff --git a/files/add-almalinux9-support.sh b/files/add-almalinux9-support.sh
index 9cb5a6e..834e1e9 100644
--- a/files/add-almalinux9-support.sh
+++ b/files/add-almalinux9-support.sh
@@ -29,9 +29,20 @@ find ./shared -type f -exec sed -i \
-e 's|multi_platform_rhel|multi_platform_rhel\nmulti_platform_almalinux|g' {} \;
# 4. Improve Ansible support in conditionals
+# Two product-gating idioms are used in the shared rule templates:
+# - list membership: {% if product in [..., "rhel9"] %}
+# - equality: {% if product == "rhel9" %}
+# The list form is rewritten below. The equality form is NOT a substring of
+# the list form, so it must be handled separately, otherwise almalinux9
+# silently falls through to the generic `else` branch of those rules (e.g.
+# configure_custom_crypto_policy_cis drops NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/
+# NO-WEAKMAC/NO-RPMSHA1, weakening the CIS crypto remediation vs the rhel9 base).
find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \
-e '/if product in/ s/"rhel9"/"rhel9", "almalinux9"/g' {} \;
+find ./linux_os ./shared -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i -E \
+ -e 's/product == (["'\''])rhel9\1/(product == \1rhel9\1 or product == \1almalinux9\1)/g' {} \;
+
# 5. Add disa references symlinks for AlmaLinux
for xml in $(find shared/references/ -type f -name 'disa-stig-rhel*.xml'); do
target="$(echo "$xml" | sed 's/rhel/almalinux/g')"