1 files changed, 49 insertions, 0 deletions

diff --git a/ci/images/README.md b/ci/images/README.md
new file mode 100644
index 0000000..3d09f60
--- /dev/null
+++ b/ci/images/README.md
@@ -0,0 +1,49 @@
+# Container images for CI
+
+## Image purpose
+
+### debian-11
+
+The main image used by shared runners to execute most CI builds and tests.
+
+### debian-11-coverity
+
+A stripped down version of `debian-11`. It only contains build (not test)
+dependencies of `kresd`. It also contains the `cov-build` tool for generating
+inputs for [Coverity Scan](https://scan.coverity.com/).
+
+It is used by the `coverity` CI job to generate and send data to Coverity Scan
+for analysis.
+
+To build this image, you need to retrieve the Coverity Scan token from the
+dashboard and pass it to the `build.sh` script using the `COVERITY_SCAN_TOKEN`
+environment variable, e.g.:
+
+```
+$ COVERITY_SCAN_TOKEN=the_secret_token ./build.sh debian-11-coverity
+```
+
+### debian-buster (10)
+
+Used to serve the same purpose as `debian-11`. As of 2022-03-09, it is still
+used by some jobs (linters).
+
+## Maintenance
+
+The `ci/images/` directory contains utility scripts to build, push or update
+the container images.
+
+```
+$ ./build.sh debian-11    # builds a debian-11 image locally
+$ ./push.sh debian-11     # pushes the local image into target registry
+$ ./update.sh debian-11   # utility wrapper that both builds and pushes the image
+$ ./update.sh */          # use shell expansion of dirnames to update all images
+```
+
+By default, a branch of Knot DNS deemed to be stable is selected according to
+the `vars.sh` file. To build an image for a different Knot DNS branch, set the
+`KNOT_BRANCH` environment variable to the name of the branch, e.g.:
+
+```
+$ KNOT_BRANCH='3.2' ./update.sh debian-11
+```