|
| 1 | +name: Dockerfile Lint |
| 2 | + |
| 3 | +on: |
| 4 | + push: |
| 5 | + branches: [main] |
| 6 | + paths: |
| 7 | + - "**/Dockerfile" |
| 8 | + - ".github/workflows/hadolint.yml" |
| 9 | + pull_request: |
| 10 | + branches: [main] |
| 11 | + paths: |
| 12 | + - "**/Dockerfile" |
| 13 | + - ".github/workflows/hadolint.yml" |
| 14 | + |
| 15 | +jobs: |
| 16 | + # ───────────────────────────────────────────────────────────── |
| 17 | + # Dynamically discover every Dockerfile in the repo so the |
| 18 | + # matrix stays up-to-date when new projects are added. |
| 19 | + # ───────────────────────────────────────────────────────────── |
| 20 | + discover: |
| 21 | + name: Discover Dockerfiles |
| 22 | + runs-on: ubuntu-latest |
| 23 | + outputs: |
| 24 | + dockerfiles: ${{ steps.find.outputs.files }} |
| 25 | + steps: |
| 26 | + - uses: actions/checkout@v4 |
| 27 | + |
| 28 | + - name: Find all Dockerfiles |
| 29 | + id: find |
| 30 | + run: | |
| 31 | + files=$(find . -name "Dockerfile" -not -path "*/.git/*" \ |
| 32 | + | sed 's|^\./||' \ |
| 33 | + | sort \ |
| 34 | + | jq -R -s -c 'split("\n")[:-1]') |
| 35 | + echo "files=$files" >> "$GITHUB_OUTPUT" |
| 36 | + echo "Found Dockerfiles:" |
| 37 | + echo "$files" | jq -r '.[]' |
| 38 | +
|
| 39 | + # ───────────────────────────────────────────────────────────── |
| 40 | + # Run hadolint against every discovered Dockerfile in parallel. |
| 41 | + # fail-fast: false ensures all projects are checked even when |
| 42 | + # one fails, so you get a complete picture in a single run. |
| 43 | + # ───────────────────────────────────────────────────────────── |
| 44 | + hadolint: |
| 45 | + name: ${{ matrix.dockerfile }} |
| 46 | + needs: discover |
| 47 | + runs-on: ubuntu-latest |
| 48 | + strategy: |
| 49 | + fail-fast: false |
| 50 | + matrix: |
| 51 | + dockerfile: ${{ fromJson(needs.discover.outputs.dockerfiles) }} |
| 52 | + steps: |
| 53 | + - uses: actions/checkout@v4 |
| 54 | + |
| 55 | + - name: Lint ${{ matrix.dockerfile }} |
| 56 | + uses: hadolint/hadolint-action@v3.1.0 |
| 57 | + with: |
| 58 | + dockerfile: ${{ matrix.dockerfile }} |
| 59 | + # error → fail the job (blocking) |
| 60 | + # warning → annotate but don't fail |
| 61 | + failure-threshold: error |
| 62 | + # Ignored rules (project-wide): |
| 63 | + # DL3008 — apt-get packages without pinned versions (acceptable for build stages) |
| 64 | + # DL3018 — apk packages without pinned versions (same reason) |
| 65 | + ignore: DL3008,DL3018 |
| 66 | + |
| 67 | + # ───────────────────────────────────────────────────────────── |
| 68 | + # Single required status check — gates merges on all matrix |
| 69 | + # jobs passing without having to list each one in branch rules. |
| 70 | + # ───────────────────────────────────────────────────────────── |
| 71 | + lint-complete: |
| 72 | + name: Hadolint passed |
| 73 | + needs: hadolint |
| 74 | + runs-on: ubuntu-latest |
| 75 | + if: always() |
| 76 | + steps: |
| 77 | + - name: Check all jobs succeeded |
| 78 | + run: | |
| 79 | + if [[ "${{ needs.hadolint.result }}" != "success" ]]; then |
| 80 | + echo "One or more Dockerfile lint jobs failed." |
| 81 | + exit 1 |
| 82 | + fi |
| 83 | + echo "All Dockerfiles passed hadolint." |
0 commit comments