// Use when preparing a pull request for review or when CI checks fail. Checklist covering commit conventions, Dockerfile linting, formatting rules, security, and all CI checks that run on PRs.
Use when adding, updating, or troubleshooting RPM or artifact dependencies for the hermetic build. Covers rpms.in.yaml, rpms.lock.yaml, artifacts.lock.yaml, epel.repo, Cachi2 prefetching, and the Dockerfile install step.
Use when a Tekton build pipeline fails, when you need to understand task ordering or resource requirements, or when debugging security scan failures. Covers PR and push pipeline differences, the fetch-db-data step, and all security scan tasks.
Use when troubleshooting the automated daily vulnerability database update, understanding the build trigger flow, or debugging fetch-db-data failures. Covers the GitHub Actions cron, push pipeline, matcher.db lifecycle, and manual triggering.
| name | pr-definition-of-done |
| description | Use when preparing a pull request for review or when CI checks fail. Checklist covering commit conventions, Dockerfile linting, formatting rules, security, and all CI checks that run on PRs. |
Every PR to this repo triggers GitHub Actions workflows (hadolint, agentready) and a Tekton build pipeline (hermetic image build + security scans + integration test). This checklist covers what CI enforces and what reviewers expect.
type(JIRA-ID): description (e.g., fix(STONEINTG-1644): update jq version)feat, fix, chore, refactor, test, docsgit commit -sAssisted-by: <tool-name> trailermicrodnf usage is expected)rpms.lock.yaml pins exactlyRUN for package installation to minimize layersrpms.in.yaml, rpms.lock.yaml, and artifacts.lock.yaml are in sync| Workflow | File | What It Checks |
|---|---|---|
| Dockerfile linter | .github/workflows/linters.yaml | hadolint on Dockerfile (ignores DL3041) |
| Agentready | .github/workflows/agentready.yaml | AI-readiness assessment of repo structure |
.tekton/clair-in-ci-db-hermetic-pull-request.yaml)| Phase | Tasks |
|---|---|
| Build | init → clone → fetch-db-data → prefetch → build-container → build-image-index |
| Security scans | clair-scan, clamav-scan, sast-snyk-check, sast-shell-check, sast-unicode-check, sast-coverity-check, rpms-signature-scan, ecosystem-cert-preflight-checks, deprecated-base-image-check |
| Finalize | show-sbom, apply-tags, push-dockerfile |
integration-tests/clair_validation.yaml)Runs automatically after the Tekton build pipeline succeeds:
clair-action report against registry.access.redhat.com/ubi9-minimal using the built imageon-pr-{{revision}}All files are owned by the integration-service team. Reviews are automatically requested based on the .github/CODEOWNERS file.
| Mistake | Fix |
|---|---|
| hadolint fails | Check Dockerfile syntax; DL3041 is ignored but other rules apply |
| Pipeline timeout | fetch-db-data has 2h timeout and needs 16-32 GiB — this is expected for large DB updates |
| Checksum mismatch in prefetch | Lock files are out of sync — regenerate rpms.lock.yaml and artifacts.lock.yaml |
| Integration test fails | Built image can't scan ubi9-minimal — check that matcher.db was correctly built into the image |
| Commit not signed off | Use git commit -s or amend with git commit --amend -s |