Skip to content
Dockerfile Linting

chore(docker): prep upgrade mechanism for docker 8.0.0 release (#544) #1

Sign in to view logs

chore(docker): prep upgrade mechanism for docker 8.0.0 release (#544)

chore(docker): prep upgrade mechanism for docker 8.0.0 release (#544) #1

Workflow file for this run

.github/workflows/hadolint.yml at 1dbe807
name: Dockerfile Linting
on:
push:
branches:
- master
# GitHub Actions do not support YAML anchors
# There are five places in here we must keep
# the paths in sync and the exclusion logic.
paths:
# Include all Dockerfiles except those in obsolete directories
- '**/Dockerfile*'
- '.github/workflows/hadolint.yml'
- '.hadolint.yaml'
# Exclude everything in obsolete.
# This needs to be last.
- '!docker/openemr/obsolete/**'
- '!docker/obsolete/**'
pull_request:
branches:
- master
paths:
# Include all Dockerfiles except those in obsolete directories
- '**/Dockerfile*'
- '.github/workflows/hadolint.yml'
- '.hadolint.yaml'
# Exclude everything in obsolete.
# This needs to be last.
- '!docker/openemr/obsolete/**'
- '!docker/obsolete/**'
jobs:
hadolint:
name: Hadolint
runs-on: ubuntu-latest
permissions:
contents: read
steps:
- uses: actions/checkout@v6
- name: Get changed Dockerfile files
id: changed-files
# We run hadolint on all unique Dockerfiles in the repo
# if only the workflow file itself is changed in a PR.
# Thus we validate changes to the workflow file.
continue-on-error: true
uses: tj-actions/changed-files@v47
with:
# Keep the paths in sync with the paths in the on.push and on.pull_request sections
# See https://github.com/tj-actions/changed-files/blob/v46/README.md#inputs-%EF%B8%8F
# for tj-actions/changed-files specific syntax
files: |
**/Dockerfile*
!docker/openemr/obsolete/**
!docker/obsolete/**
- name: Create unique files list
id: unique-files
run: |
set -x
# Create a temp directory to store file hashes
mkdir -p /tmp/hadolint-hashes
# Initialize variable to hold unique files
unique_files=''
# If the changed-files step failed or returned empty,
# use find to get all Dockerfiles in the repo.
if [[ "${{ steps.changed-files.outcome }}" = success && "${{ steps.changed-files.outputs.any_changed }}" = true ]]; then
echo 'Changed files found, checking only those.'
set -f # disable glob expansion
files_to_check=( ${{ steps.changed-files.outputs.all_changed_files }} )
set +f # re-enable glob expansion
else
echo 'No changed files found, checking all Dockerfiles in the repo.'
# Find all Dockerfiles, excluding obsolete directories
mapfile -t files_to_check < <(find . -name "Dockerfile*" -type f | grep -v '/obsolete/')
fi
unique_files=()
# Process each changed file
for file in "${files_to_check[@]}"; do
[[ -f "$file" ]] || continue
# Skip files in the obsolete directory
[[ "$file" = docker/openemr/obsolete/* ]] && continue
[[ "$file" = docker/obsolete/* ]] && continue
# Get hash of file content
hash=$(sha256sum "$file" | cut -d ' ' -f 1)
# Check if we've seen this hash before
[[ -f "/tmp/hadolint-hashes/$hash" ]] && continue
# New unique file
> "/tmp/hadolint-hashes/$hash"
unique_files+=( "$file" )
done
# This relies on one space between each path name.
echo "files=${unique_files[*]}" >> "$GITHUB_OUTPUT"
- name: Run hadolint on unique files
if: ${{ steps.unique-files.outputs.files != '' }}
run: |
docker pull hadolint/hadolint:latest
has_errors=0
# Run hadolint on each file and check for errors
for file in ${{ steps.unique-files.outputs.files }}; do
echo "Checking $file"
if ! docker run --rm -i -v "${PWD}/.hadolint.yaml:/.config/hadolint.yaml" hadolint/hadolint < "$file"; then
has_errors=1
fi
done
# Exit with error if any file had issues
if (( has_errors == 1 )); then
echo "Hadolint found issues in one or more files"
exit 1
fi