We own components that install packages in the ContainerFile, and we want to build the components hermetically (with no internet connectivity).
To allow that, we have followed https://konflux.pages.redhat.com/docs/users/building/activation-keys-subscription.html#configuring-an-rpm-lockfile-for-hermetic-builds on how to set up the creation of redhat.repo }}&{{{}rpms.in.yaml & rpms.lock.yaml.
It works very well manually, but it requires manual intervention every time Mintmaker is triggered by the renovate.json file for any base image changes (newer image digest) in the ContainerFiles. These automatic MRs are awesome when there is a need to update rpms.lock.yaml, but when you do need to, we have to update them manually.
We can either use a) postUpgradeTasks and wait for KONFLUX-11483 fix of Artifact update problem (https://gitlab.cee.redhat.com/dragonfly/storage-base-remediation/-/merge_requests/3#note_19332534) or b) with lockfilemaintenance
 
This issue happens for FAR, NHC and SBR (e.g., renovate.json of SBR at https://gitlab.cee.redhat.com/dragonfly/storage-base-remediation/-/blob/sbr-0-1/renovate.json?ref_type=heads).
We need this automation to avoid stale MRs from any branch and any operator we maintain that needs our manual fix.
 
See also the thread on Slack https://redhat-internal.slack.com/archives/C04PZ7H0VA8/p1766471146818369