riscv-koji: drop secure-boot policies as they are not needed in the secondary koji

Signed-off-by: Kevin Fenzi <kevin@scrye.com>
2026-05-03 19:35:07 +08:00 · 2025-06-09 12:30:43 -07:00
parent 032d277d75
commit e968d706e7
1 changed files with 6 additions and 0 deletions
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -124,6 +124,7 @@ Plugins = osbuild koji-fedoramessaging runroot_hub tag2distrepo sidetag_hub save
 tag =
    # We don't want to allow any draft builds to be tagged yet
    is_draft :: deny
+{% if koji_instance == "primary" %}
    user bodhi && tag *-override && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
    has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign fwupd fwupd-efi :: allow
@@ -155,6 +156,7 @@ tag =
        is_sidetag && is_sidetag_owner :: allow
        all :: deny Tagging OpenH264 to non-openh264 tags is forbidden.
    }
+{% endif %}

 channel =
    method osbuildImage :: use osbuild
@@ -168,11 +170,14 @@ channel =
       has_perm customchannel :: req
    }

+{% if koji_instance == "primary" %}
 #we want pesign-test-app to always go to the secure-boot channel even for scratch builds
    source */pesign-test-app* && has_perm secure-boot :: use secure-boot
+{% endif %}
 #make sure all scratch builds go to default channel
    method build && bool scratch :: use default

+{% if koji_instance == "primary" %}
 #policys to deal with secure boot allowing only people in the secure-boot group to build the packages
    source */kernel* && has_perm secure-boot :: use secure-boot
    source */shim* && has_perm secure-boot :: use secure-boot
@@ -189,6 +194,7 @@ channel =
    source */webkitgtk* :: use heavybuilder
    source */webkit2gtk4* :: use heavybuilder
    source */firefox* :: use heavybuilder
+{% endif %}

    is_child_task :: parent
    all :: use default