diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index 3a5f201..256a766 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,49 +3,27 @@ on: push: branches: - master - pull_request: env: TEST_IMAGE_NAME: hadolint-action:${{github.sha}} -permissions: - contents: write - issues: write # Used by Release step to update "The automated release is failing" issue - pull-requests: write # Used by ShellCheck Action to add comments on PR - jobs: lint: name: Lint - runs-on: ubuntu-24.04 - container: pipelinecomponents/hadolint:0.27.2 + runs-on: ubuntu-20.04 + container: pipelinecomponents/hadolint:0.10.1 steps: - - uses: actions/checkout@v5 - + - uses: actions/checkout@v2 - name: Run hadolint run: hadolint Dockerfile - shellcheck: - name: ShellCheck - runs-on: ubuntu-24.04 - steps: - - uses: actions/checkout@v5 - - - name: Run ShellCheck - uses: reviewdog/action-shellcheck@v1.31.0 - with: - reporter: github-pr-review - fail_on_error: true - build-test: name: Build and Test - runs-on: ubuntu-24.04 - needs: - - lint - - shellcheck + runs-on: ubuntu-20.04 + needs: ["lint"] steps: - - uses: actions/checkout@v5 - + - uses: actions/checkout@v2 - name: Build Docker image run: docker build -t $TEST_IMAGE_NAME . @@ -56,11 +34,10 @@ jobs: integration-tests: name: Integration Tests - runs-on: ubuntu-24.04 - needs: - - build-test + runs-on: ubuntu-20.04 + needs: build-test steps: - - uses: actions/checkout@v5 + - uses: actions/checkout@v2 - name: Run integration test 1 uses: ./ @@ -73,8 +50,7 @@ jobs: uses: ./ with: dockerfile: testdata/warning.Dockerfile - ignore: 'DL3014,DL3008' - no-fail: true + ignore: DL3014 DL3008 DL3015 - name: Run integration test 3 - set failure threshold # This step will print out an info level rule violation, but not fail @@ -92,48 +68,21 @@ jobs: failure-threshold: error format: json - - name: Run integration test 5 - config file - # This step will never fail, but will print out rule violations - # because in config is set the error failure threshold. - id: hadolint5 + - name: Run integration test 4 - output format + # This step will never fail, but will print out rule violations. uses: ./ with: dockerfile: testdata/warning.Dockerfile config: testdata/hadolint.yaml - - name: Run integration test 6 - verify results output parameter - # This step will never fail, but will print out the results from step5 - env: - results: ${{ steps.hadolint5.outputs.results }} - run: echo "$results" - - - name: Run integration test 7 - set recursive - # This step will never fail, but will print out rule violations - # for all the Dockerfiles in repository. - uses: ./ - with: - dockerfile: "*Dockerfile" - failure-threshold: error - recursive: true - - #- name: Run integration test 8 - output to file - # # This step will never fail, but will print out rule violations. - # uses: ./ - # with: - # dockerfile: testdata/warning.Dockerfile - # format: sarif - # output-file: report.sarif - release: if: github.event_name == 'push' && github.ref == 'refs/heads/master' name: Release - runs-on: ubuntu-24.04 - needs: - - integration-tests + runs-on: ubuntu-20.04 + needs: integration-tests steps: - - uses: actions/checkout@v5 - - - uses: cycjimmy/semantic-release-action@v5 + - uses: actions/checkout@v2 + - uses: cycjimmy/semantic-release-action@v2 with: extra_plugins: | @semantic-release/git diff --git a/Dockerfile b/Dockerfile index 93a3909..2fd839c 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,4 +1,4 @@ -FROM ghcr.io/hadolint/hadolint:v2.14.0-debian +FROM hadolint/hadolint:v2.7.0-debian COPY LICENSE README.md problem-matcher.json / COPY hadolint.sh /usr/local/bin/hadolint.sh diff --git a/Makefile b/Makefile index a35729b..32cdadb 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ IMAGE_NAME:=hadolint-action -lint-dockerfile: ## Runs hadolint against application dockerfile +lint-dockerfile: ## Runs hadoint against application dockerfile @docker run --rm -v "$(PWD):/data" -w "/data" hadolint/hadolint hadolint Dockerfile lint-yaml: ## Lints yaml configurations @@ -12,8 +12,8 @@ build: ## Builds the docker image test: build ## Runs a test in the image @docker run -i --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v ${PWD}:/test zemanlx/container-structure-test:v1.8.0-alpine \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v ${PWD}:/test zemanlx/container-structure-test:v1.8.0-alpine \ test \ --image $(IMAGE_NAME) \ --config test/structure-tests.yaml diff --git a/README.md b/README.md index 0ecee3f..5affe47 100644 --- a/README.md +++ b/README.md @@ -6,8 +6,8 @@ [![License](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](LICENSE) [![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg?style=for-the-badge)](http://commitizen.github.io/cz-cli/) [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=for-the-badge)](https://github.com/semantic-release/semantic-release?style=for-the-badge) -[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/hadolint/hadolint-action/ci.yml?branch=master&style=for-the-badge)](https://github.com/hadolint/hadolint-action/action) +[![GitHub Workflow Status](https://img.shields.io/github/workflow/status/hadolint/hadolint-action/CI?style=for-the-badge)](https://github.com/hadolint/hadolint-action/action) ## Usage @@ -15,58 +15,28 @@ Add the following step to your workflow configuration: ```yml steps: - - uses: actions/checkout@v3 - - uses: hadolint/hadolint-action@v3.1.0 + - uses: actions/checkout@v2 + - uses: hadolint/hadolint-action@v1.5.0 with: dockerfile: Dockerfile ``` ## Inputs -| Name | Description | Default | -|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------|--------------------| -| `dockerfile` | The path to the Dockerfile to be tested | `./Dockerfile` | -| `recursive` | Search for specified dockerfile
recursively, from the project root | `false` | -| `config` | Custom path to a Hadolint config file | `./.hadolint.yaml` | -| `output-file` | A sub-path where to save the
output as a file to | `/dev/stdout` | -| `no-color` | Don't create colored output (`true`/`false`) | `false` | -| `no-fail` | Never fail the action (`true`/`false`) | `false` | -| `verbose` | Output more information (`true`/`false`) | `false` | -| `format` | The output format. One of [`tty` \| `json` \|
`checkstyle` \| `codeclimate` \|
`gitlab_codeclimate` \| `codacy` \| `sarif`] | `tty` | -| `failure-threshold` | Rule severity threshold for pipeline
failure. One of [`error` \| `warning` \|
`info` \| `style` \| `ignore`] | `info` | -| `override-error` | Comma separated list of rules to treat with `error` severity | | -| `override-warning` | Comma separated list of rules to treat with `warning` severity | | -| `override-info` | Comma separated list of rules to treat with `info` severity | | -| `override-style` | Comma separated list of rules to treat with `style` severity | | -| `ignore` | Comma separated list of Hadolint rules to ignore. | | -| `trusted-registries` | Comma separated list of urls of trusted registries | | - -## Output - -The Action will store results in an environment variable that can be used in other steps in a workflow. - -Example to create a comment in a PR: - -``` -- name: Update Pull Request - uses: actions/github-script@v6 - if: github.event_name == 'pull_request' - with: - script: | - const output = ` - #### Hadolint: \`${{ steps.hadolint.outcome }}\` - \`\`\` - ${process.env.HADOLINT_RESULTS} - \`\`\` - `; - - github.rest.issues.createComment({ - issue_number: context.issue.number, - owner: context.repo.owner, - repo: context.repo.repo, - body: output - }) -``` +| Name | Description | Default | +|------------------ |------------------------------------------ |----------------- | +| dockerfile | The path to the Dockerfile to be tested | ./Dockerfile | +| recursive | Search for specified dockerfile | false | +| | recursively, from the project root | | +| format | The output format. One of [tty \| json \| | tty | +| | checkstyle \| codeclimate \| | | +| | gitlab_codeclimate] | | +| ignore | Space separated list of Hadolint rules to | | +| | ignore. | | +| config | Custom path to a Hadolint config file | ./.hadolint.yaml | +| failure-threshold | Rule severity threshold for pipeline | info | +| | failure. One of [error \| warning \| | | +| | info \| style \| ignore] | | ## Hadolint Configuration @@ -81,7 +51,6 @@ Contributions are what make the open source community such an amazing place to b 3. Commit your Changes (`git commit -m 'Add some AmazingFeature'`) 4. Push to the Branch (`git push origin feature/AmazingFeature`) 5. Open a Pull Request - ## 💛 Support the project If this project was useful to you in some form, We would be glad to have your support. It will help keeping the project alive. diff --git a/action.yml b/action.yml index e1c9fba..aff7df6 100644 --- a/action.yml +++ b/action.yml @@ -6,38 +6,15 @@ inputs: required: false description: 'The path to the Dockerfile to lint' default: 'Dockerfile' - config: - required: false - description: 'Path to a config file' - default: recursive: required: false - description: - 'Search for specified dockerfile recursively, from the project root' - default: 'false' - output-file: - required: false - description: 'The path where to save the linting results to' - default: "/dev/stdout" - - # standart hadolint options: - no-color: - required: false - description: Don't create colored output. - default: 'false' - no-fail: - required: false - description: Never exit with a failure status code - default: 'false' - verbose: - required: false - description: Print more information about the running config + description: 'Search for specified dockerfile recursively, from the project root' default: 'false' format: required: false description: | The output format, one of [tty (default) | json | checkstyle | - codeclimate | gitlab_codeclimate | codacy | sarif] + codeclimate | gitlab_codeclimate ] default: 'tty' failure-threshold: required: false @@ -45,56 +22,28 @@ inputs: Fail the pipeline only if rules with severity above this threshold are violated. One of [error | warning | info (default) | style | ignore] default: 'info' - override-error: - required: false - description: - 'A comma separated list of rules whose severity will be `error`' - default: - override-warning: - required: false - description: - 'A comma separated list of rules whose severity will be `warning`' - default: - override-info: - required: false - description: - 'A comma separated list of rules whose severity will be `info`' - default: - override-style: - required: false - description: - 'A comma separated list of rules whose severity will be `style`' - default: ignore: required: false - description: 'A comma separated string of rules to ignore' + description: 'A space separated string of rules to ignore' default: - trusted-registries: + config: required: false - description: 'A comma separated list of trusted registry urls' + description: 'Path to a config file' default: runs: using: 'docker' image: 'Dockerfile' args: + - -f + - ${{ inputs.format }} + - -t + - ${{ inputs.failure-threshold }} - ${{ inputs.dockerfile }} env: - NO_COLOR: ${{ inputs.no-color }} - HADOLINT_NOFAIL: ${{ inputs.no-fail }} - HADOLINT_VERBOSE: ${{ inputs.verbose }} - HADOLINT_FORMAT: ${{ inputs.format }} - HADOLINT_FAILURE_THRESHOLD: ${{ inputs.failure-threshold }} - HADOLINT_OVERRIDE_ERROR: ${{ inputs.override-error }} - HADOLINT_OVERRIDE_WARNING: ${{ inputs.override-warning }} - HADOLINT_OVERRIDE_INFO: ${{ inputs.override-info }} - HADOLINT_OVERRIDE_STYLE: ${{ inputs.override-style }} - HADOLINT_IGNORE: ${{ inputs.ignore }} - HADOLINT_TRUSTED_REGISTRIES: ${{ inputs.trusted-registries }} - HADOLINT_CONFIG: ${{ inputs.config }} + HADOLINT_IGNORE: ${{ inputs.ignore }} HADOLINT_RECURSIVE: ${{ inputs.recursive }} - HADOLINT_OUTPUT: ${{ inputs.output-file }} branding: icon: 'layers' color: 'purple' diff --git a/hadolint.sh b/hadolint.sh index d28035d..243bc86 100755 --- a/hadolint.sh +++ b/hadolint.sh @@ -1,67 +1,40 @@ #!/bin/bash -# The problem-matcher definition must be present in the repository -# checkout (outside the Docker container running hadolint). We copy -# problem-matcher.json to the home folder. -PROBLEM_MATCHER_FILE="/problem-matcher.json" -if [ -f "$PROBLEM_MATCHER_FILE" ]; then - cp "$PROBLEM_MATCHER_FILE" "$HOME/" -fi +# The problem-matcher definition must be present in the repository +# checkout (outside the Docker container running hadolint). We create +# a temporary folder and copy problem-matcher.json to it and make it +# readable. +TMP_FOLDER=$(mktemp -d -p .) +cp /problem-matcher.json "${TMP_FOLDER}" +chmod -R a+rX "${TMP_FOLDER}" + # After the run has finished we remove the problem-matcher.json from # the repository so we don't leave the checkout dirty. We also remove # the matcher so it won't take effect in later steps. -# shellcheck disable=SC2317 cleanup() { - echo "::remove-matcher owner=brpaz/hadolint-action::" + echo "::remove-matcher owner=brpaz/hadolint-action::" + rm -rf "${TMP_FOLDER}" } trap cleanup EXIT -echo "::add-matcher::$HOME/problem-matcher.json" +echo "::add-matcher::${TMP_FOLDER}/problem-matcher.json" if [ -n "$HADOLINT_CONFIG" ]; then HADOLINT_CONFIG="-c ${HADOLINT_CONFIG}" fi -if [ -z "$HADOLINT_TRUSTED_REGISTRIES" ]; then - unset HADOLINT_TRUSTED_REGISTRIES -fi - -COMMAND="hadolint $HADOLINT_CONFIG" +for i in $HADOLINT_IGNORE; do + HADOLINT_IGNORE_CMDLINE="${HADOLINT_IGNORE_CMDLINE} --ignore=${i}" +done if [ "$HADOLINT_RECURSIVE" = "true" ]; then shopt -s globstar filename="${!#}" - flags="${*:1:$#-1}" + flags="${@:1:$#-1}" - RESULTS=$(eval "$COMMAND $flags" -- **/"$filename") + hadolint $HADOLINT_IGNORE_CMDLINE $HADOLINT_CONFIG $flags **/$filename else - flags=$* - RESULTS=$(eval "$COMMAND" "$flags") + # shellcheck disable=SC2086 + hadolint $HADOLINT_IGNORE_CMDLINE $HADOLINT_CONFIG "$@" fi -FAILED=$? - -if [ -n "$HADOLINT_OUTPUT" ]; then - if [ -f "$HADOLINT_OUTPUT" ]; then - HADOLINT_OUTPUT="$TMP_FOLDER/$HADOLINT_OUTPUT" - fi - echo "$RESULTS" >"$HADOLINT_OUTPUT" -fi - -RESULTS="${RESULTS//$'\\n'/''}" - -{ - echo "results<>"$GITHUB_OUTPUT" - -{ - echo "HADOLINT_RESULTS<>"$GITHUB_ENV" - -[ -z "$HADOLINT_OUTPUT" ] || echo "Hadolint output saved to: $HADOLINT_OUTPUT" - -exit $FAILED