For hermetic builds to work when RPMs are installed in an image, we need RPM lock files. Konflux then reads these lockfiles at build time and ensures the RPMs are prefetched and can be installed, even in the hermetic environment that the image build is running in (no access to network). 

Now, the process of creating the RPM lockfiles is manual. It is documented here and that is how I created the original version of the lockfiles.

However, every time a parent image is updated, the RPM lockfile needs to be updated: new versions of RPMs are included in these parent image updates. 

This process really should be automated in order to have "parent image updates" + "hermetic builds" working smoothly together. 

The recommended way to do so is through renovate/mintmaker `postUpgradeTasks`, as I tried to do so here.

However, enabling that seems to have stopped renovate from working correctly, as was discovered in this slack discussion .  

I will therefore need to remove that section to get renovate working again, but it really needs to be enabled again once https://issues.redhat.com/browse/KONFLUX-5890 and https://issues.redhat.com/browse/CWFHEALTH-3864 are fixed.