mirror of
https://github.com/dani-garcia/vaultwarden.git
synced 2026-05-12 17:09:39 -06:00
59d1f3b854
hadolint/hadolint-action uses a Docker-based runner with hadolint
pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary
downloaded at runtime. Pinning the action to a commit SHA covers the
Dockerfile that specifies the image version, closing the supply-chain
gap from the previous unverified curl | sudo install.
Split {debian,alpine}: the action takes a single dockerfile argument,
so debian and alpine are linted separately.
62 lines
2.0 KiB
YAML
62 lines
2.0 KiB
YAML
name: Hadolint
|
|
permissions: {}
|
|
|
|
concurrency:
|
|
group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
on: [ push, pull_request ]
|
|
|
|
defaults:
|
|
run:
|
|
shell: bash
|
|
|
|
jobs:
|
|
hadolint:
|
|
name: Validate Dockerfile syntax
|
|
runs-on: ubuntu-24.04
|
|
timeout-minutes: 30
|
|
|
|
steps:
|
|
# Start Docker Buildx
|
|
- name: Setup Docker Buildx
|
|
uses: docker/setup-buildx-action@4d04d5d9486b7bd6fa91e7baf45bbb4f8b9deedd # v4.0.0
|
|
# https://github.com/moby/buildkit/issues/3969
|
|
# Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills
|
|
with:
|
|
buildkitd-config-inline: |
|
|
[worker.oci]
|
|
max-parallelism = 2
|
|
driver-opts: |
|
|
network=host
|
|
|
|
# Checkout the repo
|
|
- name: Checkout
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
with:
|
|
persist-credentials: false
|
|
# End Checkout the repo
|
|
|
|
# Test Dockerfiles with hadolint
|
|
# Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian)
|
|
# so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety.
|
|
- name: Run hadolint on Dockerfile.debian
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: docker/Dockerfile.debian
|
|
|
|
- name: Run hadolint on Dockerfile.alpine
|
|
uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
|
|
with:
|
|
dockerfile: docker/Dockerfile.alpine
|
|
# End Test Dockerfiles with hadolint
|
|
|
|
# Test Dockerfiles with docker build checks
|
|
- name: Run docker build check
|
|
run: |
|
|
echo "Checking docker/Dockerfile.debian"
|
|
docker build --check . -f docker/Dockerfile.debian
|
|
echo "Checking docker/Dockerfile.alpine"
|
|
docker build --check . -f docker/Dockerfile.alpine
|
|
# End Test Dockerfiles with docker build checks
|