From af66e43ea1ef1db6e54ecbdd3c8be8a0ef18f05f Mon Sep 17 00:00:00 2001
From: Kevin Fenzi <kevin@scrye.com>
Date: Mar 30 2020 15:19:08 +0000
Subject: koji_hub / rules: drop fedora-release and fedora-repos from secure-boot channel


FESCo voted to do this: https://pagure.io/fesco/issue/2358

Signed-off-by: Kevin Fenzi <kevin@scrye.com>

---

diff --git a/roles/koji_hub/templates/hub.conf.j2 b/roles/koji_hub/templates/hub.conf.j2
index f2cf48c..1ebcd6a 100644
--- a/roles/koji_hub/templates/hub.conf.j2
+++ b/roles/koji_hub/templates/hub.conf.j2
@@ -82,12 +82,12 @@ Plugins = fedmsg-koji-plugin runroot_hub hub_containerbuild tag2distrepo sidetag
 [policy]
 
 tag =
-    user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
-    user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
-    user bodhi && tag *-override && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
-    has_perm autosign && fromtag *-pending && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
-    has_perm autosign && fromtag *-candidate && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
-    has_perm secure-boot && package kernel shim grub2 fedora-release fedora-repos pesign :: allow
+    user mbs/mbs.fedoraproject.org && tag module-* && package kernel shim grub2 pesign :: allow
+    user mbs/mbs.fedoraproject.org && fromtag module-* && package kernel shim grub2 pesign :: allow
+    user bodhi && tag *-override && package kernel shim grub2 pesign :: allow
+    has_perm autosign && fromtag *-pending && package kernel shim grub2 pesign :: allow
+    has_perm autosign && fromtag *-candidate && package kernel shim grub2 pesign :: allow
+    has_perm secure-boot && package kernel shim grub2 pesign :: allow
     # CoreOS continuous builds, https://pagure.io/releng/issue/8165
     operation tag && tag f*-coreos-continuous && has_perm coreos-continuous :: allow
     operation untag && fromtag f*-coreos-continuous && has_perm coreos-continuous :: allow
@@ -96,7 +96,7 @@ tag =
     operation tag && tag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
     operation untag && fromtag coreos-pool f*-coreos-signing-pending coreos-release && has_perm coreos-continuous :: allow
     # deny tagging secureboot packages that are not related to coreos-continuous
-    package kernel shim grub2 fedora-release fedora-repos pesign :: deny
+    package kernel shim grub2 pesign :: deny
 # Allow people to tag stuff into infra-candidate if they're infra
     tag *-infra-candidate && has_perm infra :: allow
     tag *-infra-candidate :: deny