diff --git a/.github/dependabot.yml b/.github/dependabot.yml new file mode 100644 index 0000000..82dd81d --- /dev/null +++ b/.github/dependabot.yml @@ -0,0 +1,10 @@ +version: 2 +updates: +- package-ecosystem: "github-actions" + directory: "/" + schedule: + interval: "daily" +- package-ecosystem: "docker" + directory: "/" + schedule: + interval: "daily" diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml index cd6b701..3a5f201 100644 --- a/.github/workflows/ci.yml +++ b/.github/workflows/ci.yml @@ -3,81 +3,139 @@ on: push: branches: - master + pull_request: env: TEST_IMAGE_NAME: hadolint-action:${{github.sha}} +permissions: + contents: write + issues: write # Used by Release step to update "The automated release is failing" issue + pull-requests: write # Used by ShellCheck Action to add comments on PR + jobs: lint: - runs-on: ubuntu-latest - container: pipelinecomponents/hadolint:latest + name: Lint + runs-on: ubuntu-24.04 + container: pipelinecomponents/hadolint:0.27.2 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v5 + - name: Run hadolint run: hadolint Dockerfile - build: - runs-on: ubuntu-latest - needs: ['lint'] + shellcheck: + name: ShellCheck + runs-on: ubuntu-24.04 steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v5 + + - name: Run ShellCheck + uses: reviewdog/action-shellcheck@v1.31.0 + with: + reporter: github-pr-review + fail_on_error: true + + build-test: + name: Build and Test + runs-on: ubuntu-24.04 + needs: + - lint + - shellcheck + steps: + - uses: actions/checkout@v5 + - name: Build Docker image run: docker build -t $TEST_IMAGE_NAME . - - name: Save Docker image artifact - run: docker save -o action.tar $TEST_IMAGE_NAME - - - name: Upload image artifact - uses: actions/upload-artifact@master - with: - name: action-image - path: action.tar - - test: - name: Unit Tests - runs-on: ubuntu-latest - needs: build - steps: - - uses: actions/checkout@v1 - - - name: Pull Image artifact - uses: actions/download-artifact@master - with: - name: action-image - - - name: Load image into docker context - run: docker load -i action-image/action.tar - - - name: Get Image Name - id: image_name - run: echo "##[set-output name=image;]$(echo $TEST_IMAGE_NAME)" - - name: Run Structure tests - uses: brpaz/structure-tests-action@master + uses: brpaz/structure-tests-action@v1.1.2 with: - image: ${{ steps.image_name.outputs.image }} + image: ${{ env.TEST_IMAGE_NAME }} - integration: + integration-tests: name: Integration Tests - runs-on: ubuntu-latest - needs: test + runs-on: ubuntu-24.04 + needs: + - build-test steps: - - uses: actions/checkout@v1 + - uses: actions/checkout@v5 - - name: Run integration test + - name: Run integration test 1 uses: ./ with: dockerfile: testdata/Dockerfile + - name: Run integration test 2 - ignore a rule + # This step is supposed to print out an info level rule violation + # but completely ignore the two rules listed below + uses: ./ + with: + dockerfile: testdata/warning.Dockerfile + ignore: 'DL3014,DL3008' + no-fail: true + + - name: Run integration test 3 - set failure threshold + # This step will print out an info level rule violation, but not fail + # because of the high failure threshold. + uses: ./ + with: + dockerfile: testdata/info.Dockerfile + failure-threshold: warning + + - name: Run integration test 4 - output format + # This step will never fail, but will print out rule violations as json. + uses: ./ + with: + dockerfile: testdata/warning.Dockerfile + failure-threshold: error + format: json + + - name: Run integration test 5 - config file + # This step will never fail, but will print out rule violations + # because in config is set the error failure threshold. + id: hadolint5 + uses: ./ + with: + dockerfile: testdata/warning.Dockerfile + config: testdata/hadolint.yaml + + - name: Run integration test 6 - verify results output parameter + # This step will never fail, but will print out the results from step5 + env: + results: ${{ steps.hadolint5.outputs.results }} + run: echo "$results" + + - name: Run integration test 7 - set recursive + # This step will never fail, but will print out rule violations + # for all the Dockerfiles in repository. + uses: ./ + with: + dockerfile: "*Dockerfile" + failure-threshold: error + recursive: true + + #- name: Run integration test 8 - output to file + # # This step will never fail, but will print out rule violations. + # uses: ./ + # with: + # dockerfile: testdata/warning.Dockerfile + # format: sarif + # output-file: report.sarif + release: if: github.event_name == 'push' && github.ref == 'refs/heads/master' name: Release - runs-on: ubuntu-latest - needs: integration + runs-on: ubuntu-24.04 + needs: + - integration-tests steps: - - uses: actions/checkout@v1 - - name: Semantic Release - uses: brpaz/action-semantic-release@master + - uses: actions/checkout@v5 + + - uses: cycjimmy/semantic-release-action@v5 + with: + extra_plugins: | + @semantic-release/git env: GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} diff --git a/Dockerfile b/Dockerfile index 6c740a5..93a3909 100644 --- a/Dockerfile +++ b/Dockerfile @@ -1,6 +1,6 @@ -FROM hadolint/hadolint:v1.17.2 +FROM ghcr.io/hadolint/hadolint:v2.14.0-debian -COPY LICENSE README.md / - -ENTRYPOINT [ "hadolint" ] +COPY LICENSE README.md problem-matcher.json / +COPY hadolint.sh /usr/local/bin/hadolint.sh +ENTRYPOINT [ "/usr/local/bin/hadolint.sh" ] diff --git a/Makefile b/Makefile index 32cdadb..a35729b 100644 --- a/Makefile +++ b/Makefile @@ -1,7 +1,7 @@ IMAGE_NAME:=hadolint-action -lint-dockerfile: ## Runs hadoint against application dockerfile +lint-dockerfile: ## Runs hadolint against application dockerfile @docker run --rm -v "$(PWD):/data" -w "/data" hadolint/hadolint hadolint Dockerfile lint-yaml: ## Lints yaml configurations @@ -12,8 +12,8 @@ build: ## Builds the docker image test: build ## Runs a test in the image @docker run -i --rm \ - -v /var/run/docker.sock:/var/run/docker.sock \ - -v ${PWD}:/test zemanlx/container-structure-test:v1.8.0-alpine \ + -v /var/run/docker.sock:/var/run/docker.sock \ + -v ${PWD}:/test zemanlx/container-structure-test:v1.8.0-alpine \ test \ --image $(IMAGE_NAME) \ --config test/structure-tests.yaml diff --git a/README.md b/README.md index 6011fb0..0ecee3f 100644 --- a/README.md +++ b/README.md @@ -1,26 +1,76 @@ -# hadolint-action Action +# Hadolint Action -> Action that runs [Hadolint](https://github.com/hadolint/hadolint) Dockerfile linting tool. +> GitHub Action that runs [Hadolint](https://github.com/hadolint/hadolint) Dockerfile linting tool. [![GitHub Action](https://img.shields.io/badge/GitHub-Action-blue?style=for-the-badge)](https://github.com/features/actions) [![License](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](LICENSE) [![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg?style=for-the-badge)](http://commitizen.github.io/cz-cli/) [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=for-the-badge)](https://github.com/semantic-release/semantic-release?style=for-the-badge) +[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/hadolint/hadolint-action/ci.yml?branch=master&style=for-the-badge)](https://github.com/hadolint/hadolint-action/action) -[![GitHub Actions](https://github.com/brpaz/hadolint-action/workflows/CI/badge.svg?style=for-the-badge)](https://github.com/brpaz/hadolint-action/actions) ## Usage +Add the following step to your workflow configuration: + ```yml steps: - uses: brpaz/hadolint-action@master + - uses: actions/checkout@v3 + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile ``` ## Inputs -**`dockerfile`** +| Name | Description | Default | +|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------|--------------------| +| `dockerfile` | The path to the Dockerfile to be tested | `./Dockerfile` | +| `recursive` | Search for specified dockerfile
recursively, from the project root | `false` | +| `config` | Custom path to a Hadolint config file | `./.hadolint.yaml` | +| `output-file` | A sub-path where to save the
output as a file to | `/dev/stdout` | +| `no-color` | Don't create colored output (`true`/`false`) | `false` | +| `no-fail` | Never fail the action (`true`/`false`) | `false` | +| `verbose` | Output more information (`true`/`false`) | `false` | +| `format` | The output format. One of [`tty` \| `json` \|
`checkstyle` \| `codeclimate` \|
`gitlab_codeclimate` \| `codacy` \| `sarif`] | `tty` | +| `failure-threshold` | Rule severity threshold for pipeline
failure. One of [`error` \| `warning` \|
`info` \| `style` \| `ignore`] | `info` | +| `override-error` | Comma separated list of rules to treat with `error` severity | | +| `override-warning` | Comma separated list of rules to treat with `warning` severity | | +| `override-info` | Comma separated list of rules to treat with `info` severity | | +| `override-style` | Comma separated list of rules to treat with `style` severity | | +| `ignore` | Comma separated list of Hadolint rules to ignore. | | +| `trusted-registries` | Comma separated list of urls of trusted registries | | -The path to the Dockerfile to be tested. By default it will look for a Dockerfile in the current directory. +## Output + +The Action will store results in an environment variable that can be used in other steps in a workflow. + +Example to create a comment in a PR: + +``` +- name: Update Pull Request + uses: actions/github-script@v6 + if: github.event_name == 'pull_request' + with: + script: | + const output = ` + #### Hadolint: \`${{ steps.hadolint.outcome }}\` + \`\`\` + ${process.env.HADOLINT_RESULTS} + \`\`\` + `; + + github.rest.issues.createComment({ + issue_number: context.issue.number, + owner: context.repo.owner, + repo: context.repo.repo, + body: output + }) +``` + +## Hadolint Configuration + +To configure Hadolint (for example ignore rules), you can create an `.hadolint.yaml` file in the root of your repository. Please check the Hadolint [documentation](https://github.com/hadolint/hadolint#configure). ## 🤝 Contributing @@ -32,10 +82,13 @@ Contributions are what make the open source community such an amazing place to b 4. Push to the Branch (`git push origin feature/AmazingFeature`) 5. Open a Pull Request -## Useful Resources +## 💛 Support the project -* [Building actions - GitHub Help](https://help.github.com/en/articles/building-actions) -* [actions/toolkit: The GitHub ToolKit for developing GitHub Actions.](https://github.com/actions/toolkit) +If this project was useful to you in some form, We would be glad to have your support. It will help keeping the project alive. + +The sinplest form of support is to give a ⭐️ to this repo. + +This project was originally created by [Bruno Paz](https://github.com/sponsors/brpaz) and incorporated into the Hadolint organization. If you appreciate the work done on this action, Bruno would be happy with your [sponsorship](https://github.com/sponsors/brpaz). ## Author @@ -46,6 +99,4 @@ Contributions are what make the open source community such an amazing place to b ## 📝 License -Copyright © 2019 [Bruno Paz](https://github.com/brpaz). - -This project is [MIT](LICENSE) licensed. +[MIT](LICENSE) diff --git a/action.yml b/action.yml index 2a27000..e1c9fba 100644 --- a/action.yml +++ b/action.yml @@ -3,13 +3,98 @@ description: 'Action that runs Hadolint Dockerfile linting tool' author: 'Bruno Paz' inputs: dockerfile: + required: false description: 'The path to the Dockerfile to lint' default: 'Dockerfile' + config: + required: false + description: 'Path to a config file' + default: + recursive: + required: false + description: + 'Search for specified dockerfile recursively, from the project root' + default: 'false' + output-file: + required: false + description: 'The path where to save the linting results to' + default: "/dev/stdout" + + # standart hadolint options: + no-color: + required: false + description: Don't create colored output. + default: 'false' + no-fail: + required: false + description: Never exit with a failure status code + default: 'false' + verbose: + required: false + description: Print more information about the running config + default: 'false' + format: + required: false + description: | + The output format, one of [tty (default) | json | checkstyle | + codeclimate | gitlab_codeclimate | codacy | sarif] + default: 'tty' + failure-threshold: + required: false + description: | + Fail the pipeline only if rules with severity above this threshold are + violated. One of [error | warning | info (default) | style | ignore] + default: 'info' + override-error: + required: false + description: + 'A comma separated list of rules whose severity will be `error`' + default: + override-warning: + required: false + description: + 'A comma separated list of rules whose severity will be `warning`' + default: + override-info: + required: false + description: + 'A comma separated list of rules whose severity will be `info`' + default: + override-style: + required: false + description: + 'A comma separated list of rules whose severity will be `style`' + default: + ignore: + required: false + description: 'A comma separated string of rules to ignore' + default: + trusted-registries: + required: false + description: 'A comma separated list of trusted registry urls' + default: + runs: using: 'docker' image: 'Dockerfile' args: - ${{ inputs.dockerfile }} + env: + NO_COLOR: ${{ inputs.no-color }} + HADOLINT_NOFAIL: ${{ inputs.no-fail }} + HADOLINT_VERBOSE: ${{ inputs.verbose }} + HADOLINT_FORMAT: ${{ inputs.format }} + HADOLINT_FAILURE_THRESHOLD: ${{ inputs.failure-threshold }} + HADOLINT_OVERRIDE_ERROR: ${{ inputs.override-error }} + HADOLINT_OVERRIDE_WARNING: ${{ inputs.override-warning }} + HADOLINT_OVERRIDE_INFO: ${{ inputs.override-info }} + HADOLINT_OVERRIDE_STYLE: ${{ inputs.override-style }} + HADOLINT_IGNORE: ${{ inputs.ignore }} + HADOLINT_TRUSTED_REGISTRIES: ${{ inputs.trusted-registries }} + + HADOLINT_CONFIG: ${{ inputs.config }} + HADOLINT_RECURSIVE: ${{ inputs.recursive }} + HADOLINT_OUTPUT: ${{ inputs.output-file }} branding: icon: 'layers' color: 'purple' diff --git a/hadolint.sh b/hadolint.sh new file mode 100755 index 0000000..d28035d --- /dev/null +++ b/hadolint.sh @@ -0,0 +1,67 @@ +#!/bin/bash +# The problem-matcher definition must be present in the repository +# checkout (outside the Docker container running hadolint). We copy +# problem-matcher.json to the home folder. + +PROBLEM_MATCHER_FILE="/problem-matcher.json" +if [ -f "$PROBLEM_MATCHER_FILE" ]; then + cp "$PROBLEM_MATCHER_FILE" "$HOME/" +fi +# After the run has finished we remove the problem-matcher.json from +# the repository so we don't leave the checkout dirty. We also remove +# the matcher so it won't take effect in later steps. +# shellcheck disable=SC2317 +cleanup() { + echo "::remove-matcher owner=brpaz/hadolint-action::" +} +trap cleanup EXIT + +echo "::add-matcher::$HOME/problem-matcher.json" + +if [ -n "$HADOLINT_CONFIG" ]; then + HADOLINT_CONFIG="-c ${HADOLINT_CONFIG}" +fi + +if [ -z "$HADOLINT_TRUSTED_REGISTRIES" ]; then + unset HADOLINT_TRUSTED_REGISTRIES +fi + +COMMAND="hadolint $HADOLINT_CONFIG" + +if [ "$HADOLINT_RECURSIVE" = "true" ]; then + shopt -s globstar + + filename="${!#}" + flags="${*:1:$#-1}" + + RESULTS=$(eval "$COMMAND $flags" -- **/"$filename") +else + flags=$* + RESULTS=$(eval "$COMMAND" "$flags") +fi +FAILED=$? + +if [ -n "$HADOLINT_OUTPUT" ]; then + if [ -f "$HADOLINT_OUTPUT" ]; then + HADOLINT_OUTPUT="$TMP_FOLDER/$HADOLINT_OUTPUT" + fi + echo "$RESULTS" >"$HADOLINT_OUTPUT" +fi + +RESULTS="${RESULTS//$'\\n'/''}" + +{ + echo "results<>"$GITHUB_OUTPUT" + +{ + echo "HADOLINT_RESULTS<>"$GITHUB_ENV" + +[ -z "$HADOLINT_OUTPUT" ] || echo "Hadolint output saved to: $HADOLINT_OUTPUT" + +exit $FAILED diff --git a/problem-matcher.json b/problem-matcher.json new file mode 100644 index 0000000..215a6e0 --- /dev/null +++ b/problem-matcher.json @@ -0,0 +1,15 @@ +{ + "problemMatcher": [ + { + "owner": "brpaz/hadolint-action", + "pattern": [ + { + "regexp": "(.*)\\:(\\d+)\\s(.*)", + "file": 1, + "line": 2, + "message": 3 + } + ] + } + ] +} diff --git a/testdata/hadolint.yaml b/testdata/hadolint.yaml new file mode 100644 index 0000000..f8cbb9d --- /dev/null +++ b/testdata/hadolint.yaml @@ -0,0 +1 @@ +failure-threshold: error diff --git a/testdata/info.Dockerfile b/testdata/info.Dockerfile new file mode 100644 index 0000000..3f9ed7c --- /dev/null +++ b/testdata/info.Dockerfile @@ -0,0 +1,5 @@ +FROM debian:buster + +# info level warning expected here: +RUN echo "Hello" +RUN echo "World" diff --git a/testdata/warning.Dockerfile b/testdata/warning.Dockerfile new file mode 100644 index 0000000..24b6d2e --- /dev/null +++ b/testdata/warning.Dockerfile @@ -0,0 +1,4 @@ +FROM debian:buster + +# emits an info and a warning level violation. +RUN apt-get install foo