actions/hadolint-action
2
0
Fork 0
mirror of https://github.com/hadolint/hadolint-action.git synced 2026-05-16 07:05:54 +00:00
Code Issues Projects Releases Packages Wiki Activity Actions

Compare commits

base: actions:master
Branches Tags
actions:master
actions:v3.3.0
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2.1.0
actions:v2.0.0
actions:v1.7.0
actions:v1.6.0
actions:v1.5.0
actions:v1.4.0
actions:v1.3.1
actions:v1.3.0
actions:v1.2.1
actions:v1.2.0
actions:v1.1.0
actions:v1.0.1
actions:v1.0.2
actions:v1.0.0
..
compare: actions:v1.2.1
Branches Tags
actions:master
actions:v3.3.0
actions:v3.2.0
actions:v3.1.0
actions:v3.0.0
actions:v2.1.0
actions:v2.0.0
actions:v1.7.0
actions:v1.6.0
actions:v1.5.0
actions:v1.4.0
actions:v1.3.1
actions:v1.3.0
actions:v1.2.1
actions:v1.2.0
actions:v1.1.0
actions:v1.0.1
actions:v1.0.2
actions:v1.0.0

No commits in common. "master" and "v1.2.1" have entirely different histories.
master ... v1.2.1

11 changed files with 81 additions and 334 deletions
Download patch file Download diff file Expand all files Collapse all files

4
.github/FUNDING.yml vendored Normal file
View file

@ -0,0 +1,4 @@
# https://help.github.com/en/articles/displaying-a-sponsor-button-in-your-repository
github: brpaz
patreon: brpaz
custom: https://www.buymeacoffee.com/Z1Bu6asGV

156
.github/workflows/ci.yml vendored
View file

@ -3,139 +3,81 @@ on:
push: push:
branches: branches:
- master - master
pull_request: pull_request:
env: env:
TEST_IMAGE_NAME: hadolint-action:${{github.sha}} TEST_IMAGE_NAME: hadolint-action:${{github.sha}}
permissions:
contents: write
issues: write # Used by Release step to update "The automated release is failing" issue
pull-requests: write # Used by ShellCheck Action to add comments on PR
jobs: jobs:
lint: lint:
name: Lint runs-on: ubuntu-latest
runs-on: ubuntu-24.04 container: pipelinecomponents/hadolint:latest
container: pipelinecomponents/hadolint:0.27.2
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v1
- name: Run hadolint - name: Run hadolint
run: hadolint Dockerfile run: hadolint Dockerfile
shellcheck: build:
name: ShellCheck runs-on: ubuntu-latest
runs-on: ubuntu-24.04 needs: ['lint']
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v1
- name: Run ShellCheck
uses: reviewdog/action-shellcheck@v1.31.0
with:
reporter: github-pr-review
fail_on_error: true
build-test:
name: Build and Test
runs-on: ubuntu-24.04
needs:
- lint
- shellcheck
steps:
- uses: actions/checkout@v5
- name: Build Docker image - name: Build Docker image
run: docker build -t $TEST_IMAGE_NAME . run: docker build -t $TEST_IMAGE_NAME .
- name: Run Structure tests - name: Save Docker image artifact
uses: brpaz/structure-tests-action@v1.1.2 run: docker save -o action.tar $TEST_IMAGE_NAME
- name: Upload image artifact
uses: actions/upload-artifact@master
with: with:
image: ${{ env.TEST_IMAGE_NAME }} name: action-image
path: action.tar
integration-tests: test:
name: Integration Tests name: Unit Tests
runs-on: ubuntu-24.04 runs-on: ubuntu-latest
needs: needs: build
- build-test
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v1
- name: Run integration test 1 - name: Pull Image artifact
uses: actions/download-artifact@master
with:
name: action-image
- name: Load image into docker context
run: docker load -i action.tar
- name: Get Image Name
id: image_name
run: echo "##[set-output name=image;]$(echo $TEST_IMAGE_NAME)"
- name: Run Structure tests
uses: brpaz/structure-tests-action@master
with:
image: ${{ steps.image_name.outputs.image }}
integration:
name: Integration Tests
runs-on: ubuntu-latest
needs: test
steps:
- uses: actions/checkout@v1
- name: Run integration test
uses: ./ uses: ./
with: with:
dockerfile: testdata/Dockerfile dockerfile: testdata/Dockerfile
- name: Run integration test 2 - ignore a rule
# This step is supposed to print out an info level rule violation
# but completely ignore the two rules listed below
uses: ./
with:
dockerfile: testdata/warning.Dockerfile
ignore: 'DL3014,DL3008'
no-fail: true
- name: Run integration test 3 - set failure threshold
# This step will print out an info level rule violation, but not fail
# because of the high failure threshold.
uses: ./
with:
dockerfile: testdata/info.Dockerfile
failure-threshold: warning
- name: Run integration test 4 - output format
# This step will never fail, but will print out rule violations as json.
uses: ./
with:
dockerfile: testdata/warning.Dockerfile
failure-threshold: error
format: json
- name: Run integration test 5 - config file
# This step will never fail, but will print out rule violations
# because in config is set the error failure threshold.
id: hadolint5
uses: ./
with:
dockerfile: testdata/warning.Dockerfile
config: testdata/hadolint.yaml
- name: Run integration test 6 - verify results output parameter
# This step will never fail, but will print out the results from step5
env:
results: ${{ steps.hadolint5.outputs.results }}
run: echo "$results"
- name: Run integration test 7 - set recursive
# This step will never fail, but will print out rule violations
# for all the Dockerfiles in repository.
uses: ./
with:
dockerfile: "*Dockerfile"
failure-threshold: error
recursive: true
#- name: Run integration test 8 - output to file
# # This step will never fail, but will print out rule violations.
# uses: ./
# with:
# dockerfile: testdata/warning.Dockerfile
# format: sarif
# output-file: report.sarif
release: release:
if: github.event_name == 'push' && github.ref == 'refs/heads/master' if: github.event_name == 'push' && github.ref == 'refs/heads/master'
name: Release name: Release
runs-on: ubuntu-24.04 runs-on: ubuntu-latest
needs: needs: integration
- integration-tests
steps: steps:
- uses: actions/checkout@v5 - uses: actions/checkout@v1
- name: Semantic Release
- uses: cycjimmy/semantic-release-action@v5 uses: brpaz/action-semantic-release@master
with:
extra_plugins: |
@semantic-release/git
env: env:
GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}} GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}

2
Dockerfile
View file

@ -1,4 +1,4 @@
FROM ghcr.io/hadolint/hadolint:v2.14.0-debian FROM hadolint/hadolint:v1.17.5-alpine
COPY LICENSE README.md problem-matcher.json / COPY LICENSE README.md problem-matcher.json /
COPY hadolint.sh /usr/local/bin/hadolint.sh COPY hadolint.sh /usr/local/bin/hadolint.sh

2
Makefile
View file

@ -1,7 +1,7 @@
IMAGE_NAME:=hadolint-action IMAGE_NAME:=hadolint-action
lint-dockerfile: ## Runs hadolint against application dockerfile lint-dockerfile: ## Runs hadoint against application dockerfile
@docker run --rm -v "$(PWD):/data" -w "/data" hadolint/hadolint hadolint Dockerfile @docker run --rm -v "$(PWD):/data" -w "/data" hadolint/hadolint hadolint Dockerfile
lint-yaml: ## Lints yaml configurations lint-yaml: ## Lints yaml configurations

75
README.md
View file

@ -1,76 +1,26 @@
# Hadolint Action # Hadolint GitHub Action
> GitHub Action that runs [Hadolint](https://github.com/hadolint/hadolint) Dockerfile linting tool. > Action that runs [Hadolint](https://github.com/hadolint/hadolint) Dockerfile linting tool.
[![GitHub Action](https://img.shields.io/badge/GitHub-Action-blue?style=for-the-badge)](https://github.com/features/actions) [![GitHub Action](https://img.shields.io/badge/GitHub-Action-blue?style=for-the-badge)](https://github.com/features/actions)
[![License](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](LICENSE) [![License](https://img.shields.io/badge/License-MIT-yellow.svg?style=for-the-badge)](LICENSE)
[![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg?style=for-the-badge)](http://commitizen.github.io/cz-cli/) [![Commitizen friendly](https://img.shields.io/badge/commitizen-friendly-brightgreen.svg?style=for-the-badge)](http://commitizen.github.io/cz-cli/)
[![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=for-the-badge)](https://github.com/semantic-release/semantic-release?style=for-the-badge) [![semantic-release](https://img.shields.io/badge/%20%20%F0%9F%93%A6%F0%9F%9A%80-semantic--release-e10079.svg?style=for-the-badge)](https://github.com/semantic-release/semantic-release?style=for-the-badge)
[![GitHub Workflow Status](https://img.shields.io/github/actions/workflow/status/hadolint/hadolint-action/ci.yml?branch=master&style=for-the-badge)](https://github.com/hadolint/hadolint-action/action)
[![GitHub Actions](https://github.com/brpaz/hadolint-action/workflows/CI/badge.svg?style=for-the-badge)](https://github.com/brpaz/hadolint-action/actions)
## Usage ## Usage
Add the following step to your workflow configuration:
```yml ```yml
steps: steps:
- uses: actions/checkout@v3 uses: brpaz/hadolint-action@master
- uses: hadolint/hadolint-action@v3.1.0
with:
dockerfile: Dockerfile
``` ```
## Inputs ## Inputs
| Name | Description | Default | **`dockerfile`**
|----------------------|-----------------------------------------------------------------------------------------------------------------------------------------|--------------------|
| `dockerfile` | The path to the Dockerfile to be tested | `./Dockerfile` |
| `recursive` | Search for specified dockerfile </br> recursively, from the project root | `false` |
| `config` | Custom path to a Hadolint config file | `./.hadolint.yaml` |
| `output-file` | A sub-path where to save the </br> output as a file to | `/dev/stdout` |
| `no-color` | Don't create colored output (`true`/`false`) | `false` |
| `no-fail` | Never fail the action (`true`/`false`) | `false` |
| `verbose` | Output more information (`true`/`false`) | `false` |
| `format` | The output format. One of [`tty` \| `json` \| </br> `checkstyle` \| `codeclimate` \| </br> `gitlab_codeclimate` \| `codacy` \| `sarif`] | `tty` |
| `failure-threshold` | Rule severity threshold for pipeline </br> failure. One of [`error` \| `warning` \| </br> `info` \| `style` \| `ignore`] | `info` |
| `override-error` | Comma separated list of rules to treat with `error` severity | |
| `override-warning` | Comma separated list of rules to treat with `warning` severity | |
| `override-info` | Comma separated list of rules to treat with `info` severity | |
| `override-style` | Comma separated list of rules to treat with `style` severity | |
| `ignore` | Comma separated list of Hadolint rules to ignore. | <none> |
| `trusted-registries` | Comma separated list of urls of trusted registries | |
## Output The path to the Dockerfile to be tested. By default it will look for a Dockerfile in the current directory.
The Action will store results in an environment variable that can be used in other steps in a workflow.
Example to create a comment in a PR:
```
- name: Update Pull Request
uses: actions/github-script@v6
if: github.event_name == 'pull_request'
with:
script: |
const output = `
#### Hadolint: \`${{ steps.hadolint.outcome }}\`
\`\`\`
${process.env.HADOLINT_RESULTS}
\`\`\`
`;
github.rest.issues.createComment({
issue_number: context.issue.number,
owner: context.repo.owner,
repo: context.repo.repo,
body: output
})
```
## Hadolint Configuration
To configure Hadolint (for example ignore rules), you can create an `.hadolint.yaml` file in the root of your repository. Please check the Hadolint [documentation](https://github.com/hadolint/hadolint#configure).
## 🤝 Contributing ## 🤝 Contributing
@ -82,13 +32,10 @@ Contributions are what make the open source community such an amazing place to b
4. Push to the Branch (`git push origin feature/AmazingFeature`) 4. Push to the Branch (`git push origin feature/AmazingFeature`)
5. Open a Pull Request 5. Open a Pull Request
## 💛 Support the project ## Useful Resources
If this project was useful to you in some form, We would be glad to have your support. It will help keeping the project alive. * [Building actions - GitHub Help](https://help.github.com/en/articles/building-actions)
* [actions/toolkit: The GitHub ToolKit for developing GitHub Actions.](https://github.com/actions/toolkit)
The sinplest form of support is to give a ⭐️ to this repo.
This project was originally created by [Bruno Paz](https://github.com/sponsors/brpaz) and incorporated into the Hadolint organization. If you appreciate the work done on this action, Bruno would be happy with your [sponsorship](https://github.com/sponsors/brpaz).
## Author ## Author
@ -99,4 +46,6 @@ This project was originally created by [Bruno Paz](https://github.com/sponsors/b
## 📝 License ## 📝 License
[MIT](LICENSE) Copyright © 2019 [Bruno Paz](https://github.com/brpaz).
This project is [MIT](LICENSE) licensed.

85
action.yml
View file

@ -3,98 +3,13 @@ description: 'Action that runs Hadolint Dockerfile linting tool'
author: 'Bruno Paz' author: 'Bruno Paz'
inputs: inputs:
dockerfile: dockerfile:
required: false
description: 'The path to the Dockerfile to lint' description: 'The path to the Dockerfile to lint'
default: 'Dockerfile' default: 'Dockerfile'
config:
required: false
description: 'Path to a config file'
default:
recursive:
required: false
description:
'Search for specified dockerfile recursively, from the project root'
default: 'false'
output-file:
required: false
description: 'The path where to save the linting results to'
default: "/dev/stdout"
# standart hadolint options:
no-color:
required: false
description: Don't create colored output.
default: 'false'
no-fail:
required: false
description: Never exit with a failure status code
default: 'false'
verbose:
required: false
description: Print more information about the running config
default: 'false'
format:
required: false
description: |
The output format, one of [tty (default) | json | checkstyle |
codeclimate | gitlab_codeclimate | codacy | sarif]
default: 'tty'
failure-threshold:
required: false
description: |
Fail the pipeline only if rules with severity above this threshold are
violated. One of [error | warning | info (default) | style | ignore]
default: 'info'
override-error:
required: false
description:
'A comma separated list of rules whose severity will be `error`'
default:
override-warning:
required: false
description:
'A comma separated list of rules whose severity will be `warning`'
default:
override-info:
required: false
description:
'A comma separated list of rules whose severity will be `info`'
default:
override-style:
required: false
description:
'A comma separated list of rules whose severity will be `style`'
default:
ignore:
required: false
description: 'A comma separated string of rules to ignore'
default:
trusted-registries:
required: false
description: 'A comma separated list of trusted registry urls'
default:
runs: runs:
using: 'docker' using: 'docker'
image: 'Dockerfile' image: 'Dockerfile'
args: args:
- ${{ inputs.dockerfile }} - ${{ inputs.dockerfile }}
env:
NO_COLOR: ${{ inputs.no-color }}
HADOLINT_NOFAIL: ${{ inputs.no-fail }}
HADOLINT_VERBOSE: ${{ inputs.verbose }}
HADOLINT_FORMAT: ${{ inputs.format }}
HADOLINT_FAILURE_THRESHOLD: ${{ inputs.failure-threshold }}
HADOLINT_OVERRIDE_ERROR: ${{ inputs.override-error }}
HADOLINT_OVERRIDE_WARNING: ${{ inputs.override-warning }}
HADOLINT_OVERRIDE_INFO: ${{ inputs.override-info }}
HADOLINT_OVERRIDE_STYLE: ${{ inputs.override-style }}
HADOLINT_IGNORE: ${{ inputs.ignore }}
HADOLINT_TRUSTED_REGISTRIES: ${{ inputs.trusted-registries }}
HADOLINT_CONFIG: ${{ inputs.config }}
HADOLINT_RECURSIVE: ${{ inputs.recursive }}
HADOLINT_OUTPUT: ${{ inputs.output-file }}
branding: branding:
icon: 'layers' icon: 'layers'
color: 'purple' color: 'purple'

75
hadolint.sh
View file

@ -1,67 +1,14 @@
#!/bin/bash #!/bin/sh
# The problem-matcher definition must be present in the repository # The problem-matcher definition must be present in the repository
# checkout (outside the Docker container running hadolint). We copy # checkout (outside the Docker container running hadolint). We create
# problem-matcher.json to the home folder. # a temporary folder and copy problem-matcher.json to it and make it
# readable.
TMP_FOLDER=$(mktemp -d -p .)
cp /problem-matcher.json "${TMP_FOLDER}"
chmod -R a+rX "${TMP_FOLDER}"
trap "rm -rf \"${TMP_FOLDER}\"" EXIT
PROBLEM_MATCHER_FILE="/problem-matcher.json" echo "::add-matcher::${TMP_FOLDER}/problem-matcher.json"
if [ -f "$PROBLEM_MATCHER_FILE" ]; then
cp "$PROBLEM_MATCHER_FILE" "$HOME/"
fi
# After the run has finished we remove the problem-matcher.json from
# the repository so we don't leave the checkout dirty. We also remove
# the matcher so it won't take effect in later steps.
# shellcheck disable=SC2317
cleanup() {
echo "::remove-matcher owner=brpaz/hadolint-action::"
}
trap cleanup EXIT
echo "::add-matcher::$HOME/problem-matcher.json" hadolint "$@"
if [ -n "$HADOLINT_CONFIG" ]; then
HADOLINT_CONFIG="-c ${HADOLINT_CONFIG}"
fi
if [ -z "$HADOLINT_TRUSTED_REGISTRIES" ]; then
unset HADOLINT_TRUSTED_REGISTRIES
fi
COMMAND="hadolint $HADOLINT_CONFIG"
if [ "$HADOLINT_RECURSIVE" = "true" ]; then
shopt -s globstar
filename="${!#}"
flags="${*:1:$#-1}"
RESULTS=$(eval "$COMMAND $flags" -- **/"$filename")
else
flags=$*
RESULTS=$(eval "$COMMAND" "$flags")
fi
FAILED=$?
if [ -n "$HADOLINT_OUTPUT" ]; then
if [ -f "$HADOLINT_OUTPUT" ]; then
HADOLINT_OUTPUT="$TMP_FOLDER/$HADOLINT_OUTPUT"
fi
echo "$RESULTS" >"$HADOLINT_OUTPUT"
fi
RESULTS="${RESULTS//$'\\n'/''}"
{
echo "results<<EOF"
echo "$RESULTS"
echo "EOF"
} >>"$GITHUB_OUTPUT"
{
echo "HADOLINT_RESULTS<<EOF"
echo "$RESULTS"
echo "EOF"
} >>"$GITHUB_ENV"
[ -z "$HADOLINT_OUTPUT" ] || echo "Hadolint output saved to: $HADOLINT_OUTPUT"
exit $FAILED

2
problem-matcher.json
View file

@ -1,7 +1,7 @@
{ {
"problemMatcher": [ "problemMatcher": [
{ {
"owner": "brpaz/hadolint-action", "owner": "hadolint",
"pattern": [ "pattern": [
{ {
"regexp": "(.*)\\:(\\d+)\\s(.*)", "regexp": "(.*)\\:(\\d+)\\s(.*)",

1
testdata/hadolint.yaml vendored
View file

@ -1 +0,0 @@
failure-threshold: error

5
testdata/info.Dockerfile vendored
View file

@ -1,5 +0,0 @@
FROM debian:buster
# info level warning expected here:
RUN echo "Hello"
RUN echo "World"

4
testdata/warning.Dockerfile vendored
View file

@ -1,4 +0,0 @@
FROM debian:buster
# emits an info and a warning level violation.
RUN apt-get install foo