ROX-33562: Migrate main image Dockerfiles to ubi9-micro by janisz · Pull Request #19653 · stackrox/stackrox

janisz · 2026-03-27T13:11:50Z

Description

This commit migrates the main container image from ubi-minimal (~92 MB) to ubi-micro (~28 MB) base image, reducing the final image size and improving security posture by minimizing the attack surface.

Changes

Base image: ubi8-minimal (~92 MB) → ubi8-micro (~28 MB)
Build strategy: Multi-stage build with ubi8 builder for dependencies
Final image size: 188 MB → 122 MB

Build Architecture

Builder stage (ubi8): Install runtime dependencies using dnf/rpm
Final stage (ubi8-micro): Copy dependencies, no package managers

Related Work

This continues the image optimization efforts:

ROX-9598: Use ubi-minimal image #1054 - Initial migration to ubi8-minimal
chore(deps): remove unix utils from release image #14487 - Removed linux-utils package
chore(deps): remove lz4 and bzip2 #14489 - Removed lz4 and bzip2 packages
Use ubi8-micro image for operator #1220 - Operator migrated to ubi8-micro
Earlier ubi-micro migration attempts

User-facing documentation

CHANGELOG.md is updated OR update is not needed
documentation PR is created and is linked above OR is not needed

Testing and quality

the change is production ready: the change is GA, or otherwise the functionality is gated by a feature flag
CI results are inspected

Automated testing

How I validated my change

  export KUBECONFIG=/tmp/tests/kubeconfig
  kubectl -n stackrox set image deployment/central \
    central=quay.io/rhacs-eng/release-main:4.11.x-599-g2ece508791-fast
  kubectl -n stackrox set image deployment/scanner-v4-indexer \
    indexer=quay.io/rhacs-eng/release-scanner-v4:4.11.0-517-g99d643f394-fast

  kubectl -n stackrox set image deployment/scanner-v4-matcher \
    matcher=quay.io/rhacs-eng/release-scanner-v4:4.11.0-517-g99d643f394-fast

  kubectl -n stackrox rollout status deployment/central --timeout=5m
  kubectl -n stackrox rollout status deployment/scanner-v4-indexer --timeout=5m
  kubectl -n stackrox rollout status deployment/scanner-v4-matcher --timeout=5m

Then check in UI if everything is healthy and followed and check if scanner is working

# roxctl --insecure-skip-tls-verify -e https://tj0331aparttheeblank.demos.rox.systems:443 image scan --image=nginx:latest --output=table
Scan results for image: nginx:latest
(TOTAL-COMPONENTS: 57, TOTAL-VULNERABILITIES: 107, LOW: 87, MODERATE: 10, IMPORTANT: 9, CRITICAL: 1)

rhacs-bot · 2026-03-27T13:29:59Z

Images are ready for the commit at 90cc136.

To use with deploy scripts, first export MAIN_IMAGE_TAG=4.11.x-484-g90cc136570.

codecov · 2026-03-27T13:58:16Z

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 49.56%. Comparing base (b54ecbf) to head (4a7a836).
⚠️ Report is 38 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff             @@
##           master   #19653      +/-   ##
==========================================
- Coverage   49.58%   49.56%   -0.02%     
==========================================
  Files        2766     2764       -2     
  Lines      208523   208357     -166     
==========================================
- Hits       103387   103269     -118     
+ Misses      97460    97436      -24     
+ Partials     7676     7652      -24

Flag	Coverage Δ
go-unit-tests	`49.56% <ø> (-0.02%)`	⬇️

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

janisz · 2026-03-27T15:45:07Z

/retest

janisz · 2026-03-30T14:54:53Z

/retest

coderabbitai · 2026-04-03T14:30:53Z

📝 Walkthrough

Walkthrough

Both RHEL Dockerfiles were updated to switch the final runtime base image from ubi9-minimal to ubi9-micro and reorganized multi-stage builds. Installation workflows were refactored to use dnf with chrooted installroot (/out/) instead of microdnf in the final stage, consolidating artifacts through staged filesystem preparation.

Changes

Cohort / File(s)	Summary
RHEL Dockerfile Updates `image/rhel/Dockerfile`, `image/rhel/konflux.Dockerfile`	Switched base image from `ubi9-minimal`/`ubi9/ubi-minimal` to `ubi9-micro`/`ubi9/ubi-micro`. Reorganized multi-stage builds with new `package_installer` stage. Replaced `microdnf` with `dnf` for package installation targeting a chrooted installroot. Moved `/etc/pki`, `/var/lib/stackrox`, `/var/log/stackrox`, `/var/cache/stackrox`, and `/tmp` creation to intermediate stage. Removed HEALTHCHECK instruction from standard Dockerfile.

Estimated code review effort

🎯 4 (Complex) | ⏱️ ~50 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: migrating main image Dockerfiles to ubi9-micro, which is the primary objective of the PR.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.
Description check	✅ Passed	PR description provides detailed context with clear objectives, multi-stage build architecture explanation, related work references, and validation steps with example output.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

📝 Generate docstrings

Create stacked PR
Commit on current branch

🧪 Generate unit tests (beta)

Create PR with unit tests
Commit unit tests in branch ROX-30858/migrate_main_to_ubi_micro

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

coderabbitai

Caution

Some comments are outside the diff and can’t be posted inline due to platform limitations.

⚠️ Outside diff range comments (1)

image/rhel/konflux.Dockerfile (1)
96-154: ⚠️ Potential issue | 🟠 Major

Add missing ENTRYPOINT instruction for consistency with main Dockerfile.

The main image/rhel/Dockerfile includes ENTRYPOINT ["/stackrox/roxctl"] at line 106, but this Konflux variant omits it. Other Konflux Dockerfiles in the repository (roxctl, operator, postgres) all specify an ENTRYPOINT, indicating this is not an intentional pattern of omission. Add the ENTRYPOINT instruction to ensure consistent container behavior.
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@image/rhel/konflux.Dockerfile` around lines 96 - 154, The Konflux Dockerfile
is missing the ENTRYPOINT used in the main Dockerfile; add an ENTRYPOINT that
points to the roxctl binary to match behavior and other Konflux images: add
ENTRYPOINT ["/stackrox/roxctl"] (same as main image) near the end of the
Dockerfile after USER 4000:4000 (or immediately before if USER must be applied
at runtime), ensuring the container launches /stackrox/roxctl by default.

🧹 Nitpick comments (2)

image/rhel/konflux.Dockerfile (1)

93-94: Redundant copy of static-bin/* files.

Line 93 copies static-bin/* into /out/stackrox/, and line 98 copies the entire /out/ to /. Then line 111 copies static-bin/* again to /stackrox/, overwriting the same files. This is redundant and slightly increases build time.

Remove redundant COPY

 COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/bin/roxagent /stackrox/bin/
-COPY --from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /stackrox/
 RUN GOARCH=$(uname -m) ; \

Also applies to: 111-111

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In `@image/rhel/konflux.Dockerfile` around lines 93 - 94, The Dockerfile
duplicates copying static binaries: the COPY --from=go-builder
/go/src/github.com/stackrox/rox/app/image/rhel/static-bin/* /out/stackrox/ and a
later COPY that again places static-bin/* into /stackrox/ (overwriting the same
files); remove the redundant COPY (either the first one to /out/stackrox/ or the
later one to /stackrox/, depending on which target you need preserved) so the
static-bin files are only copied once, keep the chroot /out
/stackrox/save-dir-contents step intact and ensure the remaining COPY uses the
final target path (/stackrox/ or /out/stackrox/) expected by subsequent steps.

image/rhel/Dockerfile (1)

20-26: Consider adding dnf clean all to reduce intermediate layer size.

The dnf install -y zip command lacks cache cleanup. While this is an intermediate build stage and the cache won't reach the final image (only /stackrox-data is copied via line 82), adding cleanup would reduce CI cache/layer size.
Suggested fix
 FROM ubi-base AS stackrox_data

-RUN dnf install -y zip
+RUN dnf install -y zip && dnf clean all && rm -rf /var/cache/dnf /var/cache/yum

 WORKDIR /
🤖 Prompt for AI Agents
Verify each finding against the current code and only fix it if needed.

In `@image/rhel/Dockerfile` around lines 20 - 26, The RUN that installs zip in the
stackrox_data stage leaves DNF caches and should be cleaned in the same layer to
reduce intermediate size; update the RUN that contains "dnf install -y zip" (in
the stackrox_data stage) to perform DNF cache cleanup after install (e.g., run
dnf clean all and remove /var/cache/dnf) so caches are removed in the same layer
that installs zip, keeping the rest of the Dockerfile (COPY
fetch-stackrox-data.sh and creation of /stackrox-data) unchanged.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Outside diff comments:
In `@image/rhel/konflux.Dockerfile`:
- Around line 96-154: The Konflux Dockerfile is missing the ENTRYPOINT used in
the main Dockerfile; add an ENTRYPOINT that points to the roxctl binary to match
behavior and other Konflux images: add ENTRYPOINT ["/stackrox/roxctl"] (same as
main image) near the end of the Dockerfile after USER 4000:4000 (or immediately
before if USER must be applied at runtime), ensuring the container launches
/stackrox/roxctl by default.

---

Nitpick comments:
In `@image/rhel/Dockerfile`:
- Around line 20-26: The RUN that installs zip in the stackrox_data stage leaves
DNF caches and should be cleaned in the same layer to reduce intermediate size;
update the RUN that contains "dnf install -y zip" (in the stackrox_data stage)
to perform DNF cache cleanup after install (e.g., run dnf clean all and remove
/var/cache/dnf) so caches are removed in the same layer that installs zip,
keeping the rest of the Dockerfile (COPY fetch-stackrox-data.sh and creation of
/stackrox-data) unchanged.

In `@image/rhel/konflux.Dockerfile`:
- Around line 93-94: The Dockerfile duplicates copying static binaries: the COPY
--from=go-builder /go/src/github.com/stackrox/rox/app/image/rhel/static-bin/*
/out/stackrox/ and a later COPY that again places static-bin/* into /stackrox/
(overwriting the same files); remove the redundant COPY (either the first one to
/out/stackrox/ or the later one to /stackrox/, depending on which target you
need preserved) so the static-bin files are only copied once, keep the chroot
/out /stackrox/save-dir-contents step intact and ensure the remaining COPY uses
the final target path (/stackrox/ or /out/stackrox/) expected by subsequent
steps.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Central YAML (base), Organization UI (inherited)

Review profile: CHILL

Plan: Pro

Run ID: 5da37e4c-1ef7-4dbf-9c59-e968fc17ecb7

📥 Commits

Reviewing files that changed from the base of the PR and between df8c4bc and 90cc136.

📒 Files selected for processing (2)

image/rhel/Dockerfile
image/rhel/konflux.Dockerfile

msugakov

I've some dejavu feeling that I already reviewed and even commented on the same things.

Migrate both image/rhel/Dockerfile and image/rhel/konflux.Dockerfile from ubi9-minimal to ubi9-micro base images following the proven pattern from PR #19500 (roxctl migration). Changes: - Use multi-stage build with package_installer pattern - Install packages to /out/ using dnf --installroot - Preserve ubi9-micro rpmdb by copying before package installation - Move directory setup and save-dir-contents to package_installer stage - Remove HEALTHCHECK from Dockerfile (curl not available in ubi9-micro) - Pin SHA digests in konflux.Dockerfile for reproducible builds - Use --setopt=reposdir=/etc/yum.repos.d for Cachi2 compatibility Expected benefits: - 30-35% image size reduction (from ~450MB to ~350MB) - Smaller attack surface and reduced CVE exposure - Faster image pull/push operations This migration maintains full functionality while following the pattern established in PR #17406 and successfully merged in PR #19500. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com> Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

github-actions · 2026-04-08T11:17:16Z

🚀 Build Images Ready

Images are ready for commit 8d9c528. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-631-g8d9c528eae

github-actions · 2026-04-08T11:17:17Z

🚀 Build Images Ready

Images are ready for commit 660d694. To use with deploy scripts:

export MAIN_IMAGE_TAG=4.11.x-597-g660d694bb4

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

janisz · 2026-04-10T09:30:58Z

/retest

msugakov

Looks good! Just a few last comments.

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

msugakov

Looks good!
Please make sure main-on-push build completes successfully. There's one still running https://github.com/stackrox/stackrox/pull/19653/checks?check_run_id=71050176657.

github-actions · 2026-04-13T09:52:03Z

/konflux-retest roxctl-on-push

github-actions · 2026-04-13T09:56:10Z

/konflux-retest operator-bundle-on-push

github-actions · 2026-04-13T10:04:16Z

/konflux-retest operator-bundle-on-push

github-actions · 2026-04-13T10:14:45Z

/konflux-retest roxctl-on-push

github-actions · 2026-04-13T10:21:13Z

/konflux-retest operator-bundle-on-push

Migrates scanner image from ubi9-minimal to ubi-micro base using proven multi-stage build pattern. Changes: - Remove ARG variables for base images (use explicit registry paths) - Add ubi-micro-base stage from registry.access.redhat.com/ubi9/ubi-micro - Add package_installer stage that preserves ubi-micro RPM database - Install ca-certificates to /out/ with --installroot - Copy package_installer /out/ to final stage - Keep all file operations in final stage (minimal diff) Why: ubi-micro eliminates package managers (dnf, rpm tools) reducing image size by ~30-35% and lowering CVE exposure. Pattern follows successful roxctl and operator migrations (PR #19653). Keeps diff minimal by only moving RPM installation to package_installer stage. Expected impact: Scanner image size reduction from ~90MB to ~60MB base. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Migrates Konflux scanner build from ubi9-minimal to ubi9-micro with SHA256-pinned base images for reproducibility. Changes: - Add ubi-micro-base stage (SHA256: 093a704be0ea...) - Add package_installer stage (SHA256: 6ed9f6f637fe...) - Install ca-certificates AND openssl (FIPS requirement) - Add inline comment documenting openssl FIPS requirement - Use --setopt=install_weak_deps=0 (standardized numeric syntax) - Use --setopt=reposdir=/etc/yum.repos.d for hermetic builds - Copy package_installer /out/ to final stage - Keep all file operations in final stage (minimal diff) Why: Achieves ~30-35% image size reduction while maintaining FIPS compliance for Red Hat builds. Follows minimal pattern from PR #19653 - only RPM installation moved to package_installer stage, all other operations remain in final stage for minimal diff. Expected impact: Scanner-v4 image size reduction and reduced CVE surface. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Updates Konflux build configuration to support RPM prefetching for hermetic builds with ubi-micro base. Changes: .tekton/scanner-v4-build.yaml: - Update prefetch-input to include both gomod and rpm types - Enables Cachi2 to prefetch ca-certificates and openssl RPMs rpms.in.yaml: - Update comment to document scanner usage of ca-certificates and openssl - Clarifies which Dockerfiles require these packages Why: ubi-micro cannot run package managers at build time, so RPM packages must be prefetched by Konflux/Cachi2 for hermetic builds. The --setopt=reposdir=/etc/yum.repos.d flag in konflux.Dockerfile references these prefetched packages. Without rpm prefetch, the Konflux build would fail when trying to install ca-certificates and openssl. Follows the pattern used by roxctl and operator Konflux builds. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Migrates scanner image from ubi9-minimal to ubi9-micro base using proven multi-stage build pattern. Changes: - Remove ARG variables for base images (use explicit registry paths) - Add ubi-micro-base stage from registry.access.redhat.com/ubi9/ubi-micro - Add package_installer stage that preserves ubi-micro RPM database - Install ca-certificates to /out/ with --installroot - Copy package_installer /out/ to final stage - Keep all file operations in final stage (minimal diff) - Retain all original comments Why: ubi-micro eliminates package managers (dnf, rpm tools) reducing image size by ~30-35% and lowering CVE exposure. Pattern follows successful main image migration (PR #19653). Keeps diff minimal by only moving RPM installation to package_installer stage. Expected impact: Scanner image size reduction from ~90MB to ~60MB base. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Migrates Konflux scanner build from ubi9-minimal to ubi9-micro with SHA256-pinned base images for reproducibility. Changes: - Add ubi-micro-base stage (SHA256: 093a704be0ea...) - Add package_installer stage (SHA256: 6ed9f6f637fe...) - Install ca-certificates AND openssl (FIPS requirement) - Add inline comment documenting openssl FIPS requirement - Use --setopt=install_weak_deps=0 (standardized numeric syntax) - Use --setopt=reposdir=/etc/yum.repos.d for hermetic builds - Copy package_installer /out/ to final stage - Keep all file operations in final stage (minimal diff) - Retain all original comments (labels, mapping files, etc.) Why: Achieves ~30-35% image size reduction while maintaining FIPS compliance for Red Hat builds. Follows minimal pattern from PR #19653 - only RPM installation moved to package_installer stage, all other operations remain in final stage for minimal diff. Expected impact: Scanner-v4 image size reduction and reduced CVE surface. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Migrates Konflux scanner build from ubi9-minimal to ubi9-micro with SHA256-pinned base images for reproducibility. Changes: - Add ubi-micro-base stage (SHA256: 093a704be0ea...) - Add package_installer stage (SHA256: 6ed9f6f637fe...) - Install ca-certificates AND openssl (documented in rpms.in.yaml) - Use --setopt=install_weak_deps=0 (standardized numeric syntax) - Use --setopt=reposdir=/etc/yum.repos.d for hermetic builds - Copy package_installer /out/ to final stage - Keep all file operations in final stage (minimal diff) - Retain all original comments (labels, mapping files, etc.) Why: Achieves ~30-35% image size reduction while maintaining FIPS compliance for Red Hat builds. Follows minimal pattern from PR #19653 - only RPM installation moved to package_installer stage, all other operations remain in final stage for minimal diff. Expected impact: Scanner-v4 image size reduction and reduced CVE surface. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Updates Konflux build configuration to support RPM prefetching for hermetic builds with ubi-micro base. Changes: .tekton/scanner-v4-build.yaml: - Update prefetch-input to include both gomod and rpm types - Use multi-line YAML format consistent with operator-build.yaml - Enables Cachi2 to prefetch ca-certificates and openssl RPMs rpms.in.yaml: - Update comment to document scanner usage of ca-certificates and openssl - Clarifies which Dockerfiles require these packages Why: ubi-micro cannot run package managers at build time, so RPM packages must be prefetched by Konflux/Cachi2 for hermetic builds. The --setopt=reposdir=/etc/yum.repos.d flag in konflux.Dockerfile references these prefetched packages. Without rpm prefetch, the Konflux build would fail when trying to install ca-certificates and openssl. Follows the pattern used by operator and other Konflux builds. AI-assisted migration based on PR #17430 and #19653 patterns. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

github-actions · 2026-04-13T10:41:23Z

/konflux-retest roxctl-on-push

Fixes PR #17431 by addressing all review comments and applying patterns from successful main image migration (PR #19653). Changes: - Remove ARG variables (use explicit registry paths) - Rename dependency_builder → package_installer (consistency) - Remove chroot usage (move operations to final stage) - Remove findutils and util-linux packages (not needed) - Remove uuid version conditional (releasever=9 hardcoded) - Install uuid unconditionally for compatibility - Remove duplicate ENV PG_MAJOR=15 from package_installer - Move user/group creation to final stage (no chroot needed) - Move directory creation to final stage - Move localedef to final stage - Keep tzdata reinstall with explanation (PostgreSQL requirement) - Preserve all comments Why: Follows minimal diff pattern from PR #19653 - only package installation in package_installer stage, all other operations in final stage for cleaner separation and no chroot usage. Addresses review comments: - dcaravel (line 109): RPM db preservation already fixed - dcaravel (line 54): Removed uuid conditional - dcaravel (line 21): Removed ENV PG_MAJOR duplication Expected impact: Scanner-db image size reduction ~30% while maintaining PostgreSQL functionality with timezone data and proper user setup. AI-assisted fix based on PR #19653 patterns and review feedback. Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

janisz · 2026-04-13T12:40:55Z

Manually tested quay.io/rhacs-eng/release-main:4.11.0-601-g4a7a836448-fast and it's working 🎉

Migrates scanner, scanner-db, and vulnerabilities images from ubi9-minimal to ubi9-micro base, following established patterns from stackrox/stackrox and stackrox/collector repositories. Changes: - Scanner images: Multi-stage build with package_installer for runtime deps - Scanner-DB images: Complex migration with PostgreSQL via chroot user/locale setup - Vulnerabilities image: Simple base image change (minimal deps) - Tekton configs: Added RPM prefetch + ACTIVATION_KEY for hermetic builds - rpms.in.yaml: Scanner packages (excludes coreutils - ubi9-micro has coreutils-single) - rpms.lock.yaml: Generated lockfile for all architectures Benefits: - ~30-35% image size reduction (ubi9-micro ~28MB vs ubi9-minimal ~92MB) - Improved security - package managers removed from runtime - Reduced CVE exposure surface - Alignment with organization-wide ubi9-micro standardization Technical details: - Scanner keeps rpm package (required for image scanning functionality) - PostgreSQL user created as UID/GID 70 via chroot - Locale set to en_US.UTF-8 via chroot - Konflux builds use SHA256-pinned base images - All scripts require bash (not sh) Reference PRs: - stackrox/stackrox#17431 (scanner-db migration) - stackrox/stackrox#17430 (scanner migration) - stackrox/collector#3021 (collector migration pattern) - stackrox/stackrox#19653 (main image migration) - stackrox/stackrox#19985 (debugging utilities) Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com> Co-authored-by: Claude Sonnet 4.5 <noreply@anthropic.com> Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>

janisz requested review from a team and rhacs-bot as code owners March 27, 2026 13:11

rhacs-bot requested a review from a team March 27, 2026 13:11

github-actions bot added area/helm konflux-build Run Konflux in PR. Push commit to trigger it. labels Mar 27, 2026

janisz force-pushed the ROX-30858/migrate_main_to_ubi_micro branch from d3344ba to 57976be Compare March 27, 2026 13:25

janisz force-pushed the ROX-30858/migrate_main_to_ubi_micro branch from 57976be to aedfb9a Compare March 30, 2026 15:33

janisz added the auto-retest PRs with this label will be automatically retested if prow checks fails label Mar 30, 2026

janisz requested a review from msugakov April 1, 2026 10:43

janisz mentioned this pull request Apr 1, 2026

ROX-30858: Migrate main image to ubi-micro #17406

Closed

janisz changed the title ~~ROX-30858: Migrate main image Dockerfiles to ubi9-micro~~ ROX-33562: Migrate main image Dockerfiles to ubi9-micro Apr 2, 2026

parametalol added the coderabbit-review label Apr 3, 2026

coderabbitai bot reviewed Apr 3, 2026

View reviewed changes

msugakov reviewed Apr 7, 2026

View reviewed changes

janisz and others added 4 commits April 8, 2026 13:02

fix save-dir-contents

98d0e01

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

Apply suggestions from code review

6eec73f

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>

remove args

660d694

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

janisz force-pushed the ROX-30858/migrate_main_to_ubi_micro branch from 2e747fd to 660d694 Compare April 8, 2026 11:04

keep old comment

d9ca952

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

move chown to final image

2ece508

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

janisz requested a review from msugakov April 10, 2026 15:01

msugakov reviewed Apr 10, 2026

View reviewed changes

Comment thread image/rhel/Dockerfile Outdated

Comment thread image/rhel/konflux.Dockerfile

Comment thread image/rhel/konflux.Dockerfile Outdated

janisz and others added 2 commits April 13, 2026 11:03

Apply suggestion from @msugakov

2d6dcb7

Co-authored-by: Misha Sugakov <537715+msugakov@users.noreply.github.com>

fix new appraoch

4a7a836

Signed-off-by: Tomasz Janiszewski <tomek@redhat.com>

janisz requested a review from msugakov April 13, 2026 09:23

msugakov approved these changes Apr 13, 2026

View reviewed changes

Comment thread image/rhel/Dockerfile

janisz merged commit 8d9c528 into master Apr 13, 2026
118 of 124 checks passed

janisz deleted the ROX-30858/migrate_main_to_ubi_micro branch April 13, 2026 12:41

Conversation

janisz commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Description

Changes

Build Architecture

Related Work

User-facing documentation

Testing and quality

Automated testing

How I validated my change

Uh oh!

rhacs-bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Uh oh!

codecov bot commented Mar 27, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Codecov Report

Uh oh!

janisz commented Mar 27, 2026

Uh oh!

janisz commented Mar 30, 2026

Uh oh!

coderabbitai bot commented Apr 3, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

Walkthrough

Changes

Estimated code review effort

Uh oh!

coderabbitai bot left a comment

Choose a reason for hiding this comment

Uh oh!

msugakov left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

Uh oh!

github-actions bot commented Apr 8, 2026 • edited Loading Uh oh! There was an error while loading. Please reload this page.

Uh oh!

🚀 Build Images Ready

Uh oh!

github-actions bot commented Apr 8, 2026

🚀 Build Images Ready

Uh oh!

janisz commented Apr 10, 2026

Uh oh!

msugakov left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

Uh oh!

Uh oh!

msugakov left a comment

Choose a reason for hiding this comment

Uh oh!

Uh oh!

github-actions bot commented Apr 13, 2026

Uh oh!

github-actions bot commented Apr 13, 2026

Uh oh!

github-actions bot commented Apr 13, 2026

Uh oh!

github-actions bot commented Apr 13, 2026

Uh oh!

github-actions bot commented Apr 13, 2026

Uh oh!

github-actions bot commented Apr 13, 2026

Uh oh!

janisz commented Apr 13, 2026

Uh oh!

Uh oh!

Reviewers

Assignees

janisz commented Mar 27, 2026 •

edited

Loading

rhacs-bot commented Mar 27, 2026 •

edited

Loading

codecov bot commented Mar 27, 2026 •

edited

Loading

coderabbitai bot commented Apr 3, 2026 •

edited

Loading

github-actions bot commented Apr 8, 2026 •

edited

Loading