Step 5 only rewrote the list-membership form (product in [...,"rhel8"]), so
the shared rules using the equality form (product == "rhel8") fell through to
the generic else branch for almalinux8. Most visibly,
configure_custom_crypto_policy_cis dropped NO-SSHWEAKCIPHERS/NO-SSHWEAKMACS/
NO-WEAKMAC, weakening the CIS crypto remediation vs the rhel8 base (no hard
failure since NO-SHA1 still ships on EL8). Now almalinux8 follows the rhel8
branch.
Also set auto_increment on the .alma.1 release suffix.
The el8 spec uses %setup, and autopatch adds explicit %patch lines.
Switching to %autosetup caused patches to be applied twice (once by
autosetup, once by the explicit %patch lines). Keep %setup so patches
are only applied via autopatch's %patch lines.
Switch from a single large patch to add-almalinux8-support.sh script
and 4 smaller patches for maintainability. The script handles all sed/find
debranding operations while patches cover complex multi-file changes
(GPG key test, OS detection, Ansible whitelist, DISA delta cmake).
