From c2670e5d11799dc6c65d43851f5ff1e8e90eec69 Mon Sep 17 00:00:00 2001
From: Andrew Lukoshko <alukoshko@almalinux.org>
Date: Tue, 9 Jun 2026 17:59:44 +0200
Subject: [PATCH] Fix product=="rhel10" equality gates for almalinux10; enable
 auto_increment

Step 5 only rewrote the list-membership form (product in [...,"rhel10"]),
so the 7 shared rules using the equality form (product == "rhel10") fell
through to the generic else branch for almalinux10. Most visibly,
configure_custom_crypto_policy_cis emitted DEFAULT:NO-SHA1, but the NO-SHA1
subpolicy module was dropped from crypto-policies on EL10, so
'update-crypto-policies --set DEFAULT:NO-SHA1:NO-SSHCBC' failed. Now
almalinux10 follows the rhel10 branch (DEFAULT + self-created modules).

Also set auto_increment on the .alma.1 release suffix.
---
 config.yaml                      |  1 +
 files/add-almalinux10-support.sh | 11 +++++++++++
 2 files changed, 12 insertions(+)

diff --git a/config.yaml b/config.yaml
index d8149c3..c27248a 100644
--- a/config.yaml
+++ b/config.yaml
@@ -37,6 +37,7 @@ actions:
   - modify_release:
     - suffix: ".alma.1"
       enabled: true
+      auto_increment: true
 
   - changelog_entry:
       - name: "Andrew Lukoshko"
diff --git a/files/add-almalinux10-support.sh b/files/add-almalinux10-support.sh
index 56422cb..39f7382 100644
--- a/files/add-almalinux10-support.sh
+++ b/files/add-almalinux10-support.sh
@@ -36,9 +36,20 @@ find ./shared -type f -exec sed -i \
     -e 's|<platform>multi_platform_rhel</platform>|<platform>multi_platform_rhel</platform>\n<platform>multi_platform_almalinux</platform>|g' {} \;
 
 # 5. Improve Ansible support in conditionals
+#    Two product-gating idioms are used in the shared rule templates:
+#      - list membership:  {% if product in [..., "rhel10"] %}
+#      - equality:         {% if product == "rhel10" %}
+#    The list form is rewritten below. The equality form is NOT a substring of
+#    the list form, so it must be handled separately, otherwise almalinux10
+#    silently falls through to the generic `else` branch of those rules (e.g.
+#    configure_custom_crypto_policy_cis emits DEFAULT:NO-SHA1, a module dropped
+#    from crypto-policies on EL10, breaking `update-crypto-policies --set`).
 find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \
     -e '/if product in/ s/"rhel10"/"rhel10", "almalinux10"/g' {} \;
 
+find ./linux_os ./shared -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i -E \
+    -e 's/product == (["'\''])rhel10\1/(product == \1rhel10\1 or product == \1almalinux10\1)/g' {} \;
+
 # 6. Add AlmaLinux 10 constants
 sed -i \
     -e 's/ALMALINUX9/ALMALINUX10/g' \