docs: add Podman rootless mode instructions to CONTAINER.md

[kami619]

Description

Type of Change

• Bug fix (non-breaking change which fixes an issue)
• New feature (non-breaking change which adds functionality)
• Breaking change (fix or feature that would cause existing functionality to not work as expected)
• Documentation update
• Refactoring (no functional changes)
• Performance improvement
• Test coverage improvement

Fixes #267

Changes Made

Add comprehensive documentation for running AgentReady container on rootless Podman environments (Fedora, RHEL, CentOS) with:

• New "Podman Rootless Mode" section with complete working command
• Explanation table for required flags (--userns, --user, GIT_CONFIG_*)
• SELinux volume label guidance (:z vs :Z)
• Enhanced troubleshooting for Git "dubious ownership" error
• Cross-references between sections

Testing

• Unit tests pass (pytest)
• Integration tests pass
• Manual testing performed
• No new warnings or errors

Checklist

• My code follows the project's code style
• I have performed a self-review of my own code
• I have commented my code, particularly in hard-to-understand areas
• I have made corresponding changes to the documentation
• My changes generate no new warnings
• I have added tests that prove my fix is effective or that my feature works
• New and existing unit tests pass locally with my changes
• Any dependent changes have been merged and published

Screenshots (if applicable)

Additional Notes

[github-actions]

📈 Test Coverage Report

Branch	Coverage
This PR	65.5%
Main	65.5%
Diff	✅ +0%

---

Coverage calculated from unit tests only

[jeremyeder]

hey if you intend to use podman, i suggest adding a test of this along with the docs.

[github-actions]

Outdated review (click to expand)

🤖 AgentReady Code Review

PR Status: 3 issues found (2 🔴 Critical, 1 🟡 Major)
Score Impact: Current 80.0/100 → 78.5/100 if issues remain (-1.5 points)
Certification: Gold → Gold (maintained, but points at risk)

---

🔴 Critical Issues (Confidence ≥90) - Auto-Fix Recommended

1. Missing actionlint Validation (MANDATORY)

Attribute: 1.1 CLAUDE.md Configuration Files (Tier 1 - Essential)
Confidence: 100% (BLOCKING)
Score Impact: −1.0 points
Location: .github/workflows/container-test.yml (entire file)

Issue Details:
CLAUDE.md explicitly requires: "ALWAYS run actionlint and fix any issues before pushing changes to GitHub Actions workflows. All workflows must pass actionlint validation with zero errors/warnings."

This is a non-negotiable requirement that applies to ALL workflow modifications. No evidence of actionlint validation in PR description or commit messages.

Remediation:

# Install actionlint (if not already installed)
brew install actionlint  # macOS
# OR
go install github.com/rhysd/actionlint/cmd/actionlint@latest

# Run validation
actionlint .github/workflows/container-test.yml

# Fix all issues (must show 0 errors/warnings)

---

2. Shell Glob Pattern in test -f Commands Will Fail

Attribute: 3.4 Code Smell Elimination (Tier 3 - Important)
Confidence: 95% (HIGH)
Score Impact: −0.3 points
Location: Lines 43-45

Issue Details:
The test -f command does NOT support glob patterns. When shell expansion occurs:

• Multiple files: test -f file1.json file2.json → Error: "too many arguments"
• No files: test -f *.json → Tests for literal filename "*.json" (wrong)
• One file: Works, but only by accident

AgentReady generates timestamped reports, so multiple files will cause failure.

Remediation:

# Replace with proper file existence checks:
test "$(find "$PWD/test-reports/" -maxdepth 1 -name "*.json" -type f | wc -l)" -gt 0
test "$(find "$PWD/test-reports/" -maxdepth 1 -name "*.html" -type f | wc -l)" -gt 0
test "$(find "$PWD/test-reports/" -maxdepth 1 -name "*.md" -type f | wc -l)" -gt 0

---

🟡 Major Issues (Confidence 80-89) - Manual Review Required

3. Missing Inline Comments for Complex Shell Commands

Attribute: 2.2 Inline Documentation (Tier 2 - Critical)
Confidence: 85%
Score Impact: −0.2 points
Location: Lines 27-36

Issue Details:
The multi-line podman run command has 6 complex flags but NO explanatory comments. Project workflows consistently document complex shell commands with inline comments.

---

✅ Positive Findings

Excellent Documentation Quality (CONTAINER.md):

• Comprehensive "Podman Rootless Mode" section with working examples
• Clear "Why These Flags?" explanation table
• Excellent troubleshooting section covering 3 common error scenarios

Workflow Design:

• Proper use of if: always() for artifact upload
• Current action versions (checkout@v6, upload-artifact@v4)
• Appropriate trigger paths

Conventional Commits:

• All 4 commits follow conventional format correctly

---

Summary

Blocking Requirements Before Merge:

1. ✅ Run actionlint and show zero errors/warnings (MANDATORY per CLAUDE.md)
2. ✅ Fix shell glob pattern in test commands
3. ⚠️ Add inline comments to complex podman command (strongly recommended)

🤖 Generated with Claude Code

[github-actions]

Outdated review (click to expand)

🤖 AgentReady Code Review

PR Status: 7 issues found (2 🔴 Critical, 3 🟡 Major, 2 🔵 Minor)
Score Impact: Current 80.0/100 → 82.5/100 if all issues fixed
Certification: Gold → Gold (closer to Platinum threshold)

---

🔴 Critical Issues (Confidence ≥90) - Auto-Fix Recommended

1. Shell glob pattern misuse in file verification

Attribute: 5.3 Pre-commit Hooks & CI/CD Linting (Tier 2)
Confidence: 100%
Score Impact: −1.5 points
Location: .github/workflows/container-test.yml:43-45

Issue: test -f does NOT support glob patterns. When the shell expands *.json, if multiple files match, test -f receives multiple arguments and fails.

Remediation: Replace with find commands that properly handle globs.

---

2. Missing actionlint validation violates CLAUDE.md requirement

Attribute: 5.3 Pre-commit Hooks & CI/CD Linting (Tier 2) - MANDATORY
Confidence: 95%
Score Impact: −2.0 points

Issue: CLAUDE.md states 'ALWAYS run actionlint and fix any issues before pushing changes to GitHub Actions workflows'. No evidence of validation.

Remediation: Run actionlint .github/workflows/container-test.yml

---

🟡 Major Issues (Confidence 80-89)

3. Unquoted GitHub Actions expressions

Attribute: 13.2 Secrets Management (Tier 3)
Confidence: 85%
Score Impact: −1.0 points
Location: Lines 21,34-35,42

Issue: Unquoted paths could lead to word splitting or injection.

---

4. Missing test coverage for new CI functionality

Attribute: 5.1 Test Coverage Requirements (Tier 1)
Confidence: 80%
Score Impact: −1.5 points

Issue: 53 lines of new workflow code without tests violates '>80% coverage for new code' requirement.

---

5. TOCTOU race condition in directory operations

Attribute: 13.1 Security Scanning Automation (Tier 3)
Confidence: 75%
Score Impact: −0.5 points
Location: Lines 20-21,39-45

---

🔵 Minor Issues

6. Missing workflow documentation comments

Attribute: 2.2 Inline Documentation (Tier 2)
Confidence: 90%
Score Impact: −0.3 points

7. Missing explicit workflow permissions

Attribute: 13.2 Secrets Management (Tier 3)
Confidence: 85%
Score Impact: −0.2 points

---

Summary

Auto-Fix Candidates: 2 critical issues
Manual Review: 3 major issues
Score Improvement: +2.5 points if all fixed

Positive Highlights:
✅ Excellent CONTAINER.md documentation
✅ Proper conventional commits
✅ Good test coverage strategy
✅ Proper artifact handling
✅ Links to well-documented issue #267

---

🤖 Generated with Claude Code

[github-actions]

AgentReady Code Review - PR #286

Overall Assessment: ✅ APPROVED with minor recommendations

This PR successfully addresses Issue #267 by adding comprehensive Podman rootless mode documentation and automated testing. The changes improve the agent-readiness of the AgentReady project itself.

---

🎯 AgentReady Attribute Compliance

✅ Strengths (Attributes Improved)

Attribute	Impact	Score Impact
Documentation Quality	Added detailed Podman rootless documentation with explanation tables, troubleshooting, and cross-references	+5 points
CI/CD Integration	New workflow tests the documented commands automatically	+3 points
Testing Coverage	Automated container testing for critical user workflows	+2 points
Clear Prerequisites	Explicit SELinux, UID mapping, and Git security explanations	+2 points

Estimated Score Impact: +12 points (80.0 → 92.0 potential)

---

🔒 Security Analysis

✅ Secure Practices Identified

1. Read-only repository mount: .github/workflows/container-test.yml:34

   -v ${{ github.workspace }}:/repo:ro,z

   Excellent defense-in-depth preventing accidental modifications.

2. SELinux labeling: Uses :z (shared) appropriately for multi-container scenarios

3. Non-root container execution: CONTAINER.md:146

   --user $(id -u):$(id -g)
   --userns=keep-id

   Follows least-privilege principle.

4. Pinned actions versions: .github/workflows/container-test.yml:18

⚠️ Security Recommendations

1. Pin container image by digest (Medium Priority)

   • Prevents supply chain attacks if registry is compromised
   • Consider for production workflows after merge

2. Add workflow permission restrictions (Low Priority)

   permissions:
     contents: read
     pull-requests: read

---

📝 Documentation Quality

✅ Excellent Additions

1. Structured explanation table (CONTAINER.md:143-148)

   • Clear flag-by-flag breakdown
   • "Why These Flags?" section is pedagogical and agent-friendly

2. Cross-referencing (CONTAINER.md:240, 267)

   • Links troubleshooting back to main solution
   • Prevents documentation fragmentation

3. SELinux guidance (CONTAINER.md:160-162)

   • Distinguishes :z vs :Z use cases
   • Practical "When Do I Need This?" section

4. Complete working command (CONTAINER.md:129-139)

   • Copy-paste ready for users
   • All flags explained

---

🧪 Testing & CI/CD

✅ Well-Designed Workflow

1. Appropriate triggers - only runs when relevant files change
2. Artifact retention - 30 days is reasonable
3. Comprehensive verification - checks all three output formats

⚠️ Workflow Issues to Address

CRITICAL: Run actionlint before merge per CLAUDE.md guidelines:

actionlint .github/workflows/container-test.yml

Potential Issues:

1. Shell expansion in test commands (.github/workflows/container-test.yml:43-45)

   • Globbing *.json might fail if multiple files match or no files match
   • Consider using explicit file checks with proper error handling

2. Ubuntu may not have Podman by default

   • Add Podman installation step after checkout:

   - name: Install Podman
     run: |
       sudo apt-get update
       sudo apt-get install -y podman

---

🏗️ Code Quality

✅ Best Practices Followed

1. Conventional commit message: docs: add Podman rootless mode instructions to CONTAINER.md
2. Issue reference: "Fixes [BUG] Agent Ready Container mode execution instructions misses some key details #267" in PR description
3. No breaking changes: Additive documentation only
4. Consistent formatting: Markdown style matches existing docs

📊 Attribute Mapping (AgentReady Self-Assessment Impact)

File Modified	Attributes Affected	Assessment Impact
CONTAINER.md	clarity_claudemd, documentation_quality	Improves documentation completeness
.github/workflows/container-test.yml	ci_cd_integration, testing_strategy	Adds automated testing

Current Self-Assessment: 80.0/100 (Gold)
Potential After Merge: ~82-85/100 (Gold, moving toward Platinum)

---

📋 Pre-Merge Checklist

• Documentation is clear and actionable
• Security best practices followed (with minor recommendations)
• Workflow triggers are appropriate
• TODO: Run actionlint .github/workflows/container-test.yml and fix issues
• TODO: Verify Podman is available on ubuntu-latest runners
• TODO: Fix shell globbing in test verification step
• Conventional commit format
• Issue [BUG] Agent Ready Container mode execution instructions misses some key details #267 referenced

---

🎬 Recommended Actions

Before Merge (Required)

1. Run actionlint .github/workflows/container-test.yml and fix any errors
2. Fix test verification shell globbing issues
3. Add Podman installation step to workflow

After Merge (Optional Enhancements)

1. Pin container digest for production workflows
2. Add workflow permissions block
3. Consider adding diagnostic flowchart to docs

---

🌟 Conclusion

This PR demonstrates excellent attention to user experience and operational excellence. The documentation additions directly address a common pain point for Podman users, and the automated testing ensures the instructions stay accurate.

Recommendation: Approve with minor workflow fixes required before merge.

Score Impact Estimate: +10-12 points toward AgentReady self-assessment (documentation, CI/CD, testing attributes).

Great work @kami619! This is a high-quality contribution that improves the agent-readiness of the AgentReady project itself. 🚀

---

Review Generated By: AgentReady /review-agentready skill
Timestamp: 2026-02-12
Reviewer: Claude Code

[github-actions]

AgentReady Code Review - PR #286

🎯 Overview

Type: Documentation Enhancement + CI/CD Addition
Impact: Improves container usability for rootless Podman users on RHEL/Fedora/CentOS
Risk Level: Low (documentation-only for CONTAINER.md, new workflow for testing)

---

✅ AgentReady Attribute Analysis

Documentation Quality (Tier 1 - Essential)

Status: ✅ EXCELLENT

• Container Instructions: Comprehensive Podman rootless mode documentation added
• Troubleshooting: Enhanced with clear error symptom → solution mapping
• Cross-References: Good use of internal links between sections
• Formatting: Well-structured tables, code blocks, and headers

Strengths:

• Complete working command with all required flags
• Clear explanation table for each flag's purpose
• "When Do I Need This?" section helps users self-diagnose
• SELinux label guidance (:z vs :Z) with proper context

Suggestions for Future Enhancement:

• Consider adding a "Quick Reference" section at the top with decision tree
• Could benefit from a comparison table (Docker vs Podman rootless vs Podman rootful)

---

CI/CD Integration (Tier 2 - Critical)

Status: ✅ STRONG

New Workflow: .github/workflows/container-test.yml

Strengths:

• Tests the exact command documented in CONTAINER.md (documentation-code alignment)
• Proper trigger conditions (pull_request on relevant paths + workflow_dispatch)
• Artifact retention (30 days) for debugging
• Verification step confirms all report formats generated

Security & Best Practices:

• ✅ Uses actions/checkout@v6 (latest stable)
• ✅ Uses actions/upload-artifact@v4 (latest stable)
• ✅ Read-only volume mount (:ro,z) for repository
• ✅ Proper SELinux labeling (:z flag)
• ✅ --rm flag prevents container accumulation

Potential Improvements:

1. actionlint validation needed: Per CLAUDE.md guidelines, run actionlint before committing
2. Shell quoting: Line 36 uses unquoted path expansion
3. Error handling: No fallback if container pull fails
4. Resource limits: Consider adding memory/CPU limits for CI efficiency

---

Code Quality Issues

⚠️ Medium Priority

File: .github/workflows/container-test.yml:36

# Current
assess /repo --output-dir /reports

# Better - Quote paths
assess "/repo" --output-dir "/reports"

Rationale: While unlikely to cause issues here, consistent quoting prevents path expansion bugs.

---

File: .github/workflows/container-test.yml:24

# Current
run: podman pull ghcr.io/ambient-code/agentready:latest

# Suggested - Add error handling
run: |
  podman pull ghcr.io/ambient-code/agentready:latest || {
    echo "::error::Failed to pull container image"
    exit 1
  }

Rationale: Explicit error handling makes CI failures clearer.

---

Testing (Tier 1 - Essential)

Status: ⚠️ PARTIAL

Manual Testing: ✅ Checked in PR description
Automated Testing: ✅ New CI workflow added

Gap: No pre-merge validation that the workflow syntax is correct

Recommendation: Run actionlint locally before pushing:

# Install actionlint
go install github.com/rhysd/actionlint/cmd/actionlint@latest

# Validate workflow
actionlint .github/workflows/container-test.yml

---

Git Practices (Tier 1 - Essential)

Status: ✅ GOOD

• ✅ Conventional commit message: docs: add Podman rootless mode instructions
• ✅ Clear issue reference: Fixes #267
• ✅ Descriptive branch name: bugfix/issue-267-podman-rootless-docs
• ✅ Focused changes (2 files, 117 additions, 3 deletions)

---

🔒 Security Analysis

Container Security

✅ No security issues found

Positive Security Practices:

• Read-only repository mount (:ro,z)
• User namespace isolation (--userns=keep-id)
• Non-root container execution (--user)
• Proper SELinux contexts
• No credential exposure

---

Workflow Security

✅ No security issues found

Positive Practices:

• Pinned action versions (@v6, @v4)
• No secrets used
• Limited artifact retention (30 days)
• workflow_dispatch allows manual testing

Potential Hardening (Optional):

• Pin action versions to full commit SHA for maximum reproducibility
• Add permissions: read-all to limit token scope

---

📊 Score Impact Estimate

Attributes Positively Affected

Attribute	Tier	Current → Expected	Impact
Container Documentation	1	70 → 95	+25
Troubleshooting Guides	2	80 → 90	+10
CI/CD Coverage	2	85 → 90	+5

Estimated Score Change: +0.8 points (from 80.0 to 80.8)

---

🎓 Best Practices Demonstrated

1. ✅ User-Focused Documentation: Addresses specific pain points (rootless Podman on RHEL-based distros)
2. ✅ Documentation Testing: CI workflow validates documented commands actually work
3. ✅ Progressive Disclosure: Simple command first, then explanation table
4. ✅ SELinux Awareness: Proper handling of mandatory access controls
5. ✅ Cross-Platform Support: Acknowledges Docker/Podman differences

---

🚀 Recommendations

Before Merge (Required)

1. Run actionlint on the new workflow:

   actionlint .github/workflows/container-test.yml

2. Quote paths in workflow commands (line 36)

3. Verify workflow runs by triggering manually via workflow_dispatch

After Merge (Optional Enhancements)

1. Add workflow status badge to CONTAINER.md:

   \![Container Tests](https://github.com/ambient-code/agentready/workflows/Container%20Tests%20%28Podman%20Rootless%29/badge.svg)

2. Consider matrix testing for multiple Podman versions:

   strategy:
     matrix:
       podman-version: ['4.0', '4.5', '5.0']

3. Add performance benchmark comparing Docker vs Podman execution time

---

📝 Summary

Overall Assessment: ✅ APPROVE with minor suggestions

This PR significantly improves AgentReady's accessibility for rootless Podman users on enterprise Linux distributions. The documentation is clear, comprehensive, and validated by CI.

Key Strengths:

• Solves a real user pain point (issue #267)
• Tests what's documented (documentation-code alignment)
• Clear troubleshooting guidance

Minor Improvements Needed:

• Run actionlint validation
• Add path quoting in workflow
• Consider adding workflow status badge

AgentReady Score Impact: +0.8 points (80.0 → 80.8)

---

🏷️ Labels Recommendation

• documentation ✅ (already applied)
• enhancement ✅ (already applied)
• containers (if available)
• ci/cd (if available)

---

Reviewed by: Claude Code (AgentReady-aware reviewer)
Review Date: 2026-02-12
Review Framework: AgentReady v2.27.1 Attribute Mapping

[github-actions]

🎉 This PR is included in version 2.27.2 🎉

The release is available on GitHub release

Your semantic-release bot 📦🚀