diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 84ea826..3a5f201 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,27 +3,49 @@ on: push: branches: - master + pull_request: env: TEST_IMAGE_NAME: hadolint-action:${{github.sha}} +permissions: + contents: write + issues: write # Used by Release step to update "The automated release is failing" issue + pull-requests: write # Used by ShellCheck Action to add comments on PR + jobs: lint: name: Lint - runs-on: ubuntu-20.04 - container: pipelinecomponents/hadolint:0.10.1 + runs-on: ubuntu-24.04 + container: pipelinecomponents/hadolint:0.27.2 steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v5 + - name: Run hadolint run: hadolint Dockerfile + shellcheck: + name: ShellCheck + runs-on: ubuntu-24.04 + steps: + - uses: actions/checkout@v5 + + - name: Run ShellCheck + uses: reviewdog/action-shellcheck@v1.31.0 + with: + reporter: github-pr-review + fail_on_error: true + build-test: name: Build and Test - runs-on: ubuntu-20.04 - needs: ["lint"] + runs-on: ubuntu-24.04 + needs: + - lint + - shellcheck steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v5 + - name: Build Docker image run: docker build -t $TEST_IMAGE_NAME . @@ -34,10 +56,11 @@ jobs: integration-tests: name: Integration Tests - runs-on: ubuntu-20.04 - needs: build-test + runs-on: ubuntu-24.04 + needs: + - build-test steps: - - uses: actions/checkout@v2 + - uses: actions/checkout@v5 - name: Run integration test 1 uses: ./ @@ -69,29 +92,48 @@ jobs: failure-threshold: error format: json - - name: Run integration test 5 - output format - # This step will never fail, but will print out rule violations. + - name: Run integration test 5 - config file + # This step will never fail, but will print out rule violations + # because in config is set the error failure threshold. + id: hadolint5 uses: ./ with: dockerfile: testdata/warning.Dockerfile config: testdata/hadolint.yaml - - name: Run integration test 6 - output to file - # This step will never fail, but will print out rule violations. + - name: Run integration test 6 - verify results output parameter + # This step will never fail, but will print out the results from step5 + env: + results: ${{ steps.hadolint5.outputs.results }} + run: echo "$results" + + - name: Run integration test 7 - set recursive + # This step will never fail, but will print out rule violations + # for all the Dockerfiles in repository. uses: ./ with: - dockerfile: testdata/warning.Dockerfile - format: sarif - output-file: /report.sarif + dockerfile: "*Dockerfile" + failure-threshold: error + recursive: true + + #- name: Run integration test 8 - output to file + # # This step will never fail, but will print out rule violations. + # uses: ./ + # with: + # dockerfile: testdata/warning.Dockerfile + # format: sarif + # output-file: report.sarif release: if: github.event_name == 'push' && github.ref == 'refs/heads/master' name: Release - runs-on: ubuntu-20.04 - needs: integration-tests + runs-on: ubuntu-24.04 + needs: + - integration-tests steps: - - uses: actions/checkout@v2 - - uses: cycjimmy/semantic-release-action@v2 + - uses: actions/checkout@v5 + + - uses: cycjimmy/semantic-release-action@v5 with: extra_plugins: | @semantic-release/git diff --git a/Dockerfile b/Dockerfile index 8c7638b..93a3909 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM hadolint/hadolint:v2.9.2-debian +FROM ghcr.io/hadolint/hadolint:v2.14.0-debian COPY LICENSE README.md problem-matcher.json / COPY hadolint.sh /usr/local/bin/hadolint.sh diff --git a/Makefile b/Makefile index 32cdadb..a35729b 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ IMAGE_NAME:=hadolint-action -lint-dockerfile: ## Runs hadoint against application dockerfile +lint-dockerfile: ## Runs hadolint against application dockerfile @docker run --rm -v "$(PWD):/data" -w "/data" hadolint/hadolint hadolint Dockerfile lint-yaml: ## Lints yaml configurations @@ -12,8 +12,8 @@ build: ## Builds the docker image test: build ## Runs a test in the image @docker run -i --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v ${PWD}:/test zemanlx/container-structure-test:v1.8.0-alpine \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v ${PWD}:/test zemanlx/container-structure-test:v1.8.0-alpine \ test \ --image $(IMAGE_NAME) \ --config test/structure-tests.yaml diff --git a/README.md b/README.md index 355c85d..0ecee3f 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ [![License](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](LICENSE) [![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg?style=for-the-badge)](http://commitizen.github.io/cz-cli/) [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=for-the-badge)](https://github.com/semantic-release/semantic-release?style=for-the-badge) +[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/hadolint/hadolint-action/ci.yml?branch=master&style=for-the-badge)](https://github.com/hadolint/hadolint-action/action) -[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/hadolint/hadolint-action/CI?style=for-the-badge)](https://github.com/hadolint/hadolint-action/action) ## Usage @@ -15,42 +15,58 @@ Add the following step to your workflow configuration: ```yml steps: - - uses: actions/checkout@v2 - - uses: hadolint/hadolint-action@v1.6.0 + - uses: actions/checkout@v3 + - uses: hadolint/hadolint-action@v3.1.0 with: dockerfile: Dockerfile ``` ## Inputs -| Name | Description | Default | -|------------------- |------------------------------------------ |----------------- | -| dockerfile | The path to the Dockerfile to be tested | ./Dockerfile | -| recursive | Search for specified dockerfile | false | -| | recursively, from the project root | | -| config | Custom path to a Hadolint config file | ./.hadolint.yaml | -| output-file | A sub-path where to save the | | -| | output as a file to | | -| no-color | Don't create colored output | | -| no-fail | Never fail the action | | -| verbose | Output more information | | -| format | The output format. One of [tty \| json \| | tty | -| | checkstyle \| codeclimate \| | | -| | gitlab_codeclimate \| codacy \| sarif] | | -| failure-threshold | Rule severity threshold for pipeline | info | -| | failure. One of [error \| warning \| | | -| | info \| style \| ignore] | | -| override-error | List of rules to treat with 'error' | | -| | severity | | -| override-warning | List of rules to treat with 'warning' | | -| | severity | | -| override-info | List of rules to treat with 'info' | | -| | severity | | -| override-style | List of rules to treat with 'style' | | -| | severity | | -| ignore | Space separated list of Hadolint rules to | | -| | ignore. | | -| trusted-resgitries | List of urls of trusted registries | | +| Name | Description | Default | +|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------|--------------------| +| `dockerfile` | The path to the Dockerfile to be tested | `./Dockerfile` | +| `recursive` | Search for specified dockerfile
recursively, from the project root | `false` | +| `config` | Custom path to a Hadolint config file | `./.hadolint.yaml` | +| `output-file` | A sub-path where to save the
output as a file to | `/dev/stdout` | +| `no-color` | Don't create colored output (`true`/`false`) | `false` | +| `no-fail` | Never fail the action (`true`/`false`) | `false` | +| `verbose` | Output more information (`true`/`false`) | `false` | +| `format` | The output format. One of [`tty` \| `json` \|
`checkstyle` \| `codeclimate` \|
`gitlab_codeclimate` \| `codacy` \| `sarif`] | `tty` | +| `failure-threshold` | Rule severity threshold for pipeline
failure. One of [`error` \| `warning` \|
`info` \| `style` \| `ignore`] | `info` | +| `override-error` | Comma separated list of rules to treat with `error` severity | | +| `override-warning` | Comma separated list of rules to treat with `warning` severity | | +| `override-info` | Comma separated list of rules to treat with `info` severity | | +| `override-style` | Comma separated list of rules to treat with `style` severity | | +| `ignore` | Comma separated list of Hadolint rules to ignore. | | +| `trusted-registries` | Comma separated list of urls of trusted registries | | + +## Output + +The Action will store results in an environment variable that can be used in other steps in a workflow. + +Example to create a comment in a PR: + +``` +- name: Update Pull Request + uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + with: + script: | + const output = ` + #### Hadolint: \`${{ steps.hadolint.outcome }}\` + \`\`\` + ${process.env.HADOLINT_RESULTS} + \`\`\` + `; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) +``` ## Hadolint Configuration @@ -65,6 +81,7 @@ Contributions are what make the open source community such an amazing place to b 3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`) 4. Push to the Branch (`git push origin feature/AmazingFeature`) 5. Open a Pull Request + ## 💛 Support the project If this project was useful to you in some form, We would be glad to have your support. It will help keeping the project alive. diff --git a/action.yml b/action.yml index 443cf93..e1c9fba 100644 --- a/action.yml +++ b/action.yml @@ -18,7 +18,7 @@ inputs: output-file: required: false description: 'The path where to save the linting results to' - default: + default: "/dev/stdout" # standart hadolint options: no-color: diff --git a/hadolint.sh b/hadolint.sh index cb4df62..d28035d 100755 --- a/hadolint.sh +++ b/hadolint.sh @@ -1,15 +1,18 @@ #!/bin/bash - # The problem-matcher definition must be present in the repository # checkout (outside the Docker container running hadolint). We copy # problem-matcher.json to the home folder. -cp /problem-matcher.json "$HOME/" +PROBLEM_MATCHER_FILE="/problem-matcher.json" +if [ -f "$PROBLEM_MATCHER_FILE" ]; then + cp "$PROBLEM_MATCHER_FILE" "$HOME/" +fi # After the run has finished we remove the problem-matcher.json from # the repository so we don't leave the checkout dirty. We also remove # the matcher so it won't take effect in later steps. +# shellcheck disable=SC2317 cleanup() { - echo "::remove-matcher owner=brpaz/hadolint-action::" + echo "::remove-matcher owner=brpaz/hadolint-action::" } trap cleanup EXIT @@ -19,24 +22,46 @@ if [ -n "$HADOLINT_CONFIG" ]; then HADOLINT_CONFIG="-c ${HADOLINT_CONFIG}" fi -OUTPUT= -if [ -n "$HADOLINT_OUTPUT" ]; then - if [ -f "$HADOLINT_OUTPUT" ]; then - HADOLINT_OUTPUT="$TMP_FOLDER/$HADOLINT_OUTPUT" - fi - OUTPUT=" | tee $HADOLINT_OUTPUT" +if [ -z "$HADOLINT_TRUSTED_REGISTRIES" ]; then + unset HADOLINT_TRUSTED_REGISTRIES fi +COMMAND="hadolint $HADOLINT_CONFIG" + if [ "$HADOLINT_RECURSIVE" = "true" ]; then shopt -s globstar filename="${!#}" - flags="${@:1:$#-1}" + flags="${*:1:$#-1}" - hadolint $HADOLINT_CONFIG $flags **/$filename $OUTPUT + RESULTS=$(eval "$COMMAND $flags" -- **/"$filename") else - # shellcheck disable=SC2086 - hadolint $HADOLINT_CONFIG "$@" $OUTPUT + flags=$* + RESULTS=$(eval "$COMMAND" "$flags") +fi +FAILED=$? + +if [ -n "$HADOLINT_OUTPUT" ]; then + if [ -f "$HADOLINT_OUTPUT" ]; then + HADOLINT_OUTPUT="$TMP_FOLDER/$HADOLINT_OUTPUT" + fi + echo "$RESULTS" >"$HADOLINT_OUTPUT" fi +RESULTS="${RESULTS//$'\\n'/''}" + +{ + echo "results<>"$GITHUB_OUTPUT" + +{ + echo "HADOLINT_RESULTS<>"$GITHUB_ENV" + [ -z "$HADOLINT_OUTPUT" ] || echo "Hadolint output saved to: $HADOLINT_OUTPUT" + +exit $FAILED