We need to follow the konflux doc to enable Hermetic builds
But a pre-requisite is to make sure we can pre-fetch all dependencies.

As always, the devil is in the details, and we may face issues like we had with CPaaS, forcing us to use git submodules, or modify the default (upstream) Makefile and/or Dockerfile. Those problems will show up as we enable hermetic builds for each of our images.

Prefetching dependencies

Go and rust

According to the documentation, we "just" need to declare the prefetch-input parameter, as we already have go.mod and Cargo.lock files.

See here
With (very limited) pre-requisites for go and rust

RPMs

In addition to the prefetch-input declaration, we have to follow these steps

In summary: we need to create some files that list the RPMs we want to install, using the rpm-lockfile-prototype tool.
This will let cachi2 (Hermeto?) know which RPMs we need, pinning them to a specific version, so that it lets us install them (but nothing else).

There may be some caveats

NOTE: *The rpm-lockfile-prototype and the rpm package manager for cachi2 are not fully supported. You can use them to prefetch rpms for your hermetic builds, but the file format and technology may change in the future. If you’re interested in the future of this topic, join the discussion at rpm-software-management/dnf5#833.|