// Use when preparing a pull request for review or when CI checks fail. Checklist covering commit conventions, Dockerfile linting, formatting rules, security, and all CI checks that run on PRs.
| name | pr-definition-of-done |
| description | Use when preparing a pull request for review or when CI checks fail. Checklist covering commit conventions, Dockerfile linting, formatting rules, security, and all CI checks that run on PRs. |
Every PR to this repo triggers GitHub Actions workflows (hadolint, agentready) and a Tekton build pipeline (hermetic image build + security scans + integration test). This checklist covers what CI enforces and what reviewers expect.
type(JIRA-ID): description (e.g., fix(STONEINTG-1644): update jq version)feat, fix, chore, refactor, test, docsgit commit -sAssisted-by: <tool-name> trailermicrodnf usage is expected)rpms.lock.yaml pins exactlyRUN for package installation to minimize layersrpms.in.yaml, rpms.lock.yaml, and artifacts.lock.yaml are in sync| Workflow | File | What It Checks |
|---|---|---|
| Dockerfile linter | .github/workflows/linters.yaml | hadolint on Dockerfile (ignores DL3041) |
| Agentready | .github/workflows/agentready.yaml | AI-readiness assessment of repo structure |
.tekton/clair-in-ci-db-hermetic-pull-request.yaml)| Phase | Tasks |
|---|---|
| Build | init → clone → fetch-db-data → prefetch → build-container → build-image-index |
| Security scans | clair-scan, clamav-scan, sast-snyk-check, sast-shell-check, sast-unicode-check, sast-coverity-check, rpms-signature-scan, ecosystem-cert-preflight-checks, deprecated-base-image-check |
| Finalize | show-sbom, apply-tags, push-dockerfile |
integration-tests/clair_validation.yaml)Runs automatically after the Tekton build pipeline succeeds:
clair-action report against registry.access.redhat.com/ubi9-minimal using the built imageon-pr-{{revision}}All files are owned by the integration-service team. Reviews are automatically requested based on the .github/CODEOWNERS file.
| Mistake | Fix |
|---|---|
| hadolint fails | Check Dockerfile syntax; DL3041 is ignored but other rules apply |
| Pipeline timeout | fetch-db-data has 2h timeout and needs 16-32 GiB — this is expected for large DB updates |
| Checksum mismatch in prefetch | Lock files are out of sync — regenerate rpms.lock.yaml and artifacts.lock.yaml |
| Integration test fails | Built image can't scan ubi9-minimal — check that matcher.db was correctly built into the image |
| Commit not signed off | Use git commit -s or amend with git commit --amend -s |
Use when adding, updating, or troubleshooting RPM or artifact dependencies for the hermetic build. Covers rpms.in.yaml, rpms.lock.yaml, artifacts.lock.yaml, epel.repo, Cachi2 prefetching, and the Dockerfile install step.
Use when a Tekton build pipeline fails, when you need to understand task ordering or resource requirements, or when debugging security scan failures. Covers PR and push pipeline differences, the fetch-db-data step, and all security scan tasks.
Use when troubleshooting the automated daily vulnerability database update, understanding the build trigger flow, or debugging fetch-db-data failures. Covers the GitHub Actions cron, push pipeline, matcher.db lifecycle, and manual triggering.