From 30c0d35dd439fec07bac89a3cf966cd298449c86 Mon Sep 17 00:00:00 2001
From: Brad Smith <brasmith@redhat.com>
Date: Tue, 11 Nov 2025 17:05:56 -0500
Subject: [PATCH 1/5] build: update to support required bastion proxyjump host
 for dist-git server

Relates to JIRA: DISCOVERY-1169
---
 .env-example |  4 ++--
 .gitignore   |  1 +
 README.md    | 23 +++++++++++++++++++++--
 3 files changed, 24 insertions(+), 4 deletions(-)

diff --git a/.env-example b/.env-example
index 8f72e80..5d6b137 100644
--- a/.env-example
+++ b/.env-example
@@ -19,8 +19,8 @@
 #DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_DEFAULT=remotes/origin/discovery-1-rhel-9
 #DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_PREFIX=remotes/origin/discovery-
 
-# you *probably need* to set this to make git happy
-# try to `ssh pkgs.devel.redhat.com` and grab the value from `grep pkgs.devel.redhat.com ~/.ssh/known_hosts`
+# This is optional because the mounted .ssh config dir should have everything.
+# However, we still append this value, if set, to the known_hosts file.
 #KNOWN_HOSTS=
 
 # make it noisy!
diff --git a/.gitignore b/.gitignore
index a1795ac..6124c34 100644
--- a/.gitignore
+++ b/.gitignore
@@ -1,2 +1,3 @@
 repos
 downstream_builder.egg-info
+ssh-config
diff --git a/README.md b/README.md
index ffb38c2..357e813 100644
--- a/README.md
+++ b/README.md
@@ -14,6 +14,18 @@ Optionally create a local directory for sharing repos and virtualenv cache (this
 mkdir repos
 ```
 
+Prepare your ssh configs to mount as a volume. This is REQUIRED for running with Red Hat's internal git and build servers. Please see the `unofficial-internal-documentation` for reference values. For security reasons, this public project does not include those values.
+
+```sh
+mkdir -p ./ssh-config
+# assuming a recent clone of unofficial-internal-documentation nearby
+cp ../unofficial-internal-documentation/reference/dist-git-ssh-configs/config ./ssh-config/config
+cp ../unofficial-internal-documentation/reference/dist-git-ssh-configs/known_hosts ./ssh-config/known_hosts
+chmod 640 ./ssh-config/config
+chmod 640 ./ssh-config/known_hosts
+```
+
+
 Optionally edit a `.env` file as needed:
 
 ```sh
@@ -29,15 +41,22 @@ podman build -f Containerfile -t downstream-builder:latest .
 
 Connect to the Red Hat VPN. This program communicates with several internal hosts and will fail without appropriate network access.
 
-Run it! Remove the `-v` or `--env-file` arguments if you do not wish to use the shared directory or env file.
+Run the container:
 
 ```sh
 podman run \
     -v "$PWD"/repos:/repos:Z \
+    -v "$PWD"/ssh-config:/home/builder/.ssh:Z \
     --rm -it \
     --env-file .env \
     downstream-builder:latest
-````
+```
+
+Some notes about this command:
+
+* You MAY remove the `repos` volume mount if you do not want to preserve the cloned repos, but you probably should keep these for sake of performance.
+* You MAY remove the `.env` file if you do not want to pass any personalized defaults.
+* You MUST include the `ssh-config` volume mount if you intend to build inside Red Hat's network. The base image itself does not include sufficient configs to communicate with the remote servers.
 
 When the container starts, it will ask you several questions with defaults populated by environment variables that may be loaded from your `.env` file. Assuming all goes well, when the requested build tasks complete, the script will dump you back into a `bash` shell (still inside the container) where you may complete any additional steps manually.
 

From ebe3d1f8ea0dc568db8a7161e2b136fbe024ea61 Mon Sep 17 00:00:00 2001
From: Brad Smith <brasmith@redhat.com>
Date: Tue, 11 Nov 2025 17:11:17 -0500
Subject: [PATCH 2/5] build: update CA cert for brew/rhpkg

Relates to JIRA: DISCOVERY-1169
---
 Containerfile | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/Containerfile b/Containerfile
index 315e30f..d0975f2 100644
--- a/Containerfile
+++ b/Containerfile
@@ -4,11 +4,11 @@ RUN dnf install -y \
     krb5-workstation git man vim which chkconfig java-headless cargo packit \
     python3-pip python3-devel python3-setuptools \
     python3-rich python3-pyyaml \
-    && curl -L -o /etc/pki/ca-trust/source/anchors/RH-IT-Root-CA.crt https://certs.corp.redhat.com/certs/2015-IT-Root-CA.pem \
-    && curl -L -o /etc/pki/ca-trust/source/anchors/2022-IT-Root-CA.pem https://certs.corp.redhat.com/certs/2022-IT-Root-CA.pem \
+    && curl -L -o /etc/pki/ca-trust/source/anchors/Current-IT-Root-CAs.pem https://certs.corp.redhat.com/certs/Current-IT-Root-CAs.pem \
     && update-ca-trust \
     && curl -L -o /etc/yum.repos.d/rcm-tools-fedora.repo https://download.devel.redhat.com/rel-eng/RCMTOOLS/rcm-tools-fedora.repo \
     && dnf install -y rhpkg brewkoji \
+    && cp /etc/pki/ca-trust/source/anchors/Current-IT-Root-CAs.pem /etc/pki/brew/RH-IT-Root-CA.crt \
     && rm -f /etc/yum.repos.d/rcm-tools-fedora.repo \
     && dnf clean all
 

From 72576a49e3d4ce36e87c133117e501caba20eb2b Mon Sep 17 00:00:00 2001
From: Brad Smith <brasmith@redhat.com>
Date: Thu, 13 Nov 2025 13:49:45 -0500
Subject: [PATCH 3/5] docs: fix incorrect argument order in "next steps"
 suggested command

---
 discobuilder/builder/cli.py | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/discobuilder/builder/cli.py b/discobuilder/builder/cli.py
index 2b61149..9e8b312 100644
--- a/discobuilder/builder/cli.py
+++ b/discobuilder/builder/cli.py
@@ -132,7 +132,7 @@ def show_next_steps_summary(with_scratch=True, release="rhel-9", target=None):
             Create a scratch build:
 
                 cd {config.DISCOVERY_CLI_GIT_REPO_PATH}
-                rhpkg build --release {release} --target={target} --scratch
+                rhpkg --release {release} build --target={target} --scratch
             """
         )
 

From 79afa0c7c4fc89b034d6c58b8244400236c26c01 Mon Sep 17 00:00:00 2001
From: Brad Smith <brasmith@redhat.com>
Date: Thu, 13 Nov 2025 13:52:01 -0500
Subject: [PATCH 4/5] fix: update default branches and targets from
 discovery-1-* to discovery-2-*

---
 discobuilder/builder/cli.py       | 2 +-
 discobuilder/builder/installer.py | 4 ++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/discobuilder/builder/cli.py b/discobuilder/builder/cli.py
index 9e8b312..6e7e53e 100644
--- a/discobuilder/builder/cli.py
+++ b/discobuilder/builder/cli.py
@@ -141,7 +141,7 @@ def show_next_steps_summary(with_scratch=True, release="rhel-9", target=None):
         Update the release branch and create the release build:
 
             cd {config.DISCOVERY_CLI_GIT_REPO_PATH}
-            git checkout discovery-1-{release}
+            git checkout discovery-2-{release}
             git rebase {config.PRIVATE_BRANCH_NAME}
             git push
             rhpkg build --scratch
diff --git a/discobuilder/builder/installer.py b/discobuilder/builder/installer.py
index da5ed4e..4127b48 100644
--- a/discobuilder/builder/installer.py
+++ b/discobuilder/builder/installer.py
@@ -153,7 +153,7 @@ def build_installer():
 
 def show_next_steps_summary(with_scratch=True, release="rhel-9", target=None):
     if not target:
-        target = f"discovery-1-{release}-candidate"
+        target = f"discovery-2-{release}-candidate"
 
     release_message = dedent(
         f"""
@@ -178,7 +178,7 @@ def show_next_steps_summary(with_scratch=True, release="rhel-9", target=None):
         Update the release branch and create the release build:
 
             cd {config.DISCOVERY_INSTALLER_GIT_REPO_PATH}
-            git checkout discovery-1-{release}
+            git checkout discovery-2-{release}
             git rebase {config.PRIVATE_BRANCH_NAME}
             git push
             rhpkg build --scratch

From f925215e221e00ae13fd088eda5a4c814ced6e3b Mon Sep 17 00:00:00 2001
From: Brad Smith <brasmith@redhat.com>
Date: Thu, 13 Nov 2025 13:54:25 -0500
Subject: [PATCH 5/5] feat: update default filter to show only "discovery-2-*"
 branches

---
 .env-example           | 4 ++--
 discobuilder/config.py | 2 +-
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/.env-example b/.env-example
index 5d6b137..2335e6e 100644
--- a/.env-example
+++ b/.env-example
@@ -16,8 +16,8 @@
 # you generally should not need to change any of these
 #DISCOVERY_CLI_GIT_URL=ssh://username@pkgs.devel.redhat.com/rpms/discovery-cli.git
 #DISCOVERY_CLI_GIT_REPO_PATH=/repos/discovery-cli
-#DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_DEFAULT=remotes/origin/discovery-1-rhel-9
-#DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_PREFIX=remotes/origin/discovery-
+#DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_DEFAULT=remotes/origin/discovery-2-rhel-9
+#DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_PREFIX=remotes/origin/discovery-2-
 
 # This is optional because the mounted .ssh config dir should have everything.
 # However, we still append this value, if set, to the known_hosts file.
diff --git a/discobuilder/config.py b/discobuilder/config.py
index 588b88e..e316154 100644
--- a/discobuilder/config.py
+++ b/discobuilder/config.py
@@ -28,7 +28,7 @@
     "remotes/origin/discovery-2-rhel-9",
 )
 DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_PREFIX = environ.get(
-    "DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_PREFIX", "remotes/origin/discovery-"
+    "DISCOVERY_CLI_GIT_REMOTE_RELEASE_BRANCH_PREFIX", "remotes/origin/discovery-2-"
 )
 # discovery-installer is downstream repo for packaging quipucords-installer
 DISCOVERY_INSTALLER_GIT_URL = environ.get(