From deb4aeb854748686a8335e5499d4fcf14013b730 Mon Sep 17 00:00:00 2001 From: Andrew Lukoshko Date: Tue, 9 Jun 2026 18:22:35 +0200 Subject: [PATCH] Fix product=="rhel8" equality gates for almalinux8; enable auto_increment Step 5 only rewrote the list-membership form (product in [...,"rhel8"]), so the shared rules using the equality form (product == "rhel8") fell through to the generic else branch for almalinux8. Most visibly, configure_custom_crypto_policy_cis dropped NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/ NO-WEAKMAC, weakening the CIS crypto remediation vs the rhel8 base (no hard failure since NO-SHA1 still ships on EL8). Now almalinux8 follows the rhel8 branch. Also set auto_increment on the .alma.1 release suffix. --- config.yaml | 1 + files/add-almalinux8-support.sh | 11 +++++++++++ 2 files changed, 12 insertions(+) diff --git a/config.yaml b/config.yaml index 246dbb9..03c32d3 100644 --- a/config.yaml +++ b/config.yaml @@ -124,6 +124,7 @@ actions: - modify_release: - suffix: ".alma.1" enabled: true + auto_increment: true - changelog_entry: - name: "Andrew Lukoshko" diff --git a/files/add-almalinux8-support.sh b/files/add-almalinux8-support.sh index 5061939..12e00af 100644 --- a/files/add-almalinux8-support.sh +++ b/files/add-almalinux8-support.sh @@ -36,9 +36,20 @@ find ./shared -type f -exec sed -i \ -e 's|multi_platform_rhel|multi_platform_rhel\nmulti_platform_almalinux|g' {} \; # 5. Improve Ansible support in conditionals +# Two product-gating idioms are used in the shared rule templates: +# - list membership: {% if product in [..., "rhel8"] %} +# - equality: {% if product == "rhel8" %} +# The list form is rewritten below. The equality form is NOT a substring of +# the list form, so it must be handled separately, otherwise almalinux8 +# silently falls through to the generic `else` branch of those rules (e.g. +# configure_custom_crypto_policy_cis drops NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/ +# NO-WEAKMAC, weakening the CIS crypto remediation versus the rhel8 base). find ./linux_os -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i \ -e '/if product in/ s/"rhel8"/"rhel8", "almalinux8"/g' {} \; +find ./linux_os ./shared -type d -name ensure_redhat_gpgkey_installed -prune -o -type f -exec sed -i -E \ + -e 's/product == (["'\''])rhel8\1/(product == \1rhel8\1 or product == \1almalinux8\1)/g' {} \; + # 6. Add disa references symlinks for AlmaLinux for xml in $(find shared/references/ -type f -name 'disa-stig-rhel*.xml'); do target="$(echo "$xml" | sed 's/rhel/almalinux/g')"