Update the ref to the v129, which supports SBOM documents.

Signed-off-by: Tomáš Hozza <[email protected]>

This is needed to be able to install osbuild RPM builds, because that
repo uses newer snapshots.

Signed-off-by: Tomáš Hozza <[email protected]>

Signed-off-by: Tomáš Hozza <[email protected]>

Adjust all paces that call `Solver.Depsolve()`, to cope with the changes
that enabled SBOM support.

Fix loading of testing repositories in the CloudAPI unit tests.

Signed-off-by: Tomáš Hozza <[email protected]>

This is needed for the SBOM support

Signed-off-by: Tomáš Hozza <[email protected]>

Signed-off-by: Tomáš Hozza <[email protected]>

Add support to the `DepsolveJob` for requesting SBOM documents and
returning the results from the job.

Signed-off-by: Tomáš Hozza <[email protected]>

Signed-off-by: Tomáš Hozza <[email protected]>

For Koji composes, all files are uploaded to Koji as part of the osbuild
job (specifically as part of handling the Koji target). So in order to
be able to upload SBOM documents to Koji as part of Koji compose, the
osbuild job needs to to be able to access the depsolve job result, which
contains the SBOM documents. For this, the osbuild job must depend on
the depsolve job.

For Koji composes, make sure that osbuild job depends on the depsolve
job and set the DepsolveDynArgsIdx.

Signed-off-by: Tomáš Hozza <[email protected]>

Extend the Koji target result struct with an optional slice for uploaded
SBOM documents.

Signed-off-by: Tomáš Hozza <[email protected]>

If the Koji target result contains information about any uploaded SBOM
documents, import them to Koji as part of the finalize task.

Signed-off-by: Tomáš Hozza <[email protected]>

Extend the Koji target handling in the osbuild job, to also upload SBOM
documents attached to the related depsolve job result.

Signed-off-by: Tomáš Hozza <[email protected]>

Adjust the test case to cope with the SPDX SBOM documents uploaded to
the Koji. Also explicitly check that there is the expected number of
SBOM documents uploaded as the image build output.

Signed-off-by: Tomáš Hozza <[email protected]>

We have been testing builds of RHEL-9 on RHEL-8 for the Koji use case.
However, all of our workers are now running the latest GA RHEL-9
version. Therefore we should flip the test and test building of RHEL-8
on RHEL-9.

Signed-off-by: Tomáš Hozza <[email protected]>

This is what is currently happening on our Brew workers.

Signed-off-by: Tomáš Hozza <[email protected]>

None of our worker is running RHEL-8 any more. There's no value in
testing the Koji scenario on RHEL-8, RHEL-9 is fully sufficient.

Signed-off-by: Tomáš Hozza <[email protected]>

Extend the `manifestJobResultsFromJobDeps()` function to also return the
manifest `JobInfo`. This will be useful to inspect the job dependencies
and eliminate the need to add a specialized function for getting only
the `JobInfo`.

Signed-off-by: Tomáš Hozza <[email protected]>

Add a new /sboms API endpoint, for getting SBOM documents for a given
compose ID. The endpoint returns an array of SBOM documents for each
image built as part of the compose. For each image, there is an SBOM
document for each osbuild pipeline, which installs RPM packages. This is
usually one 'buildroot' and one 'image' pipeline.

Signed-off-by: Tomáš Hozza <[email protected]>

 Extend the unit test for regular (non-Koji) composes, to verify that
 the newly added /sboms endpoint works correctly.

Signed-off-by: Tomáš Hozza <[email protected]>

Extend the API unit test for Koji composes, to verify that the newly
added /sboms endpoint works correctly.

Signed-off-by: Tomáš Hozza <[email protected]>

This is needed for GPG key import to work on RHEL-9, because the key
uses SHA-1. This results in the following error when importing the key
during the build of the build container:

"Signature not supported. Hash algorithm SHA1 not available."

We do not need the AUX key in our RHEL-8 repo definitions used for
testing.

Signed-off-by: Tomáš Hozza <[email protected]>