I have a declarative pipeline with a docker agent running on a machine with SELinux enabled. At some point in the "checkout scm" step "git checkout -f <commit_id>" is run.

During the first run the checkout is all fine. The Docker agent gives the correct SELinux label to the files and it's all fine. The problem is that when setting the SELinux label the files ctime is modified (even if the correct SELinux label was already in place) and in the next job run, if it's an incremental build "git checkout -f <commit_id>" updates the mtime... so the build system ends up rebuilding stuff that doesn't need to be rebuilt, making the build not that "incremental".

Running "git update-index --refresh" the git index is updated and later "git checkout -f <commit_id>" doesn't update the mtime any more. But I don't really know git so well, so I don't know if running "git update-index --refresh" is a (good) fix.