feat(ci): docker linting (#10927)

* feat(ci): docker linting adds hadolint to validate dockerfile best practices configures project-specific rules in .hadolint.yaml * fix(ci): enable hadolint console output adds verbose and tty format to see linting results in CI logs * test: trigger hadolint warning remove --no-install-recommends to test CI output * fix(ci): fail hadolint on warnings stricter linting to catch all best practice violations * fix: add --no-install-recommends to apt-get reduces image size by avoiding unnecessary packages * refactor: use WORKDIR instead of cd in dockerfile replaces cd commands with WORKDIR for cleaner dockerfile removes unnecessary hadolint ignore rules DL3003 and DL3009 * chore: simplify hadolint config removes unnecessary override rules for cleaner config (cherry picked from commit 82fef0c045)
2026-02-21 02:17:45 +08:00 · 2025-08-26 17:01:06 +02:00 · 2025-08-26 17:01:06 +02:00 · 21e9f27c90
commit 21e9f27c90
parent 46324f085d
4 changed files with 38 additions and 7 deletions
--- a/.github/workflows/docker-check.yml
+++ b/.github/workflows/docker-check.yml
@ -1,5 +1,7 @@
-# If we decide to run build-image.yml on every PR, we could deprecate this workflow.
-name: Docker Build
+# This workflow performs a quick Docker build check on PRs and pushes to master.
+# It builds the Docker image and runs a basic smoke test to ensure the image works.
+# This is a lightweight check - for full multi-platform builds and publishing, see docker-image.yml
+name: Docker Check

 on:
  workflow_dispatch:
@ -15,7 +17,20 @@ concurrency:
  cancel-in-progress: true

 jobs:
-  docker-build:
+  lint:
+    if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v5
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          failure-threshold: warning
+          verbose: true
+          format: tty
+
+  build:
    if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch'
    runs-on: ubuntu-latest
    timeout-minutes: 10
--- a/.github/workflows/docker-image.yml
+++ b/.github/workflows/docker-image.yml
@ -1,3 +1,7 @@
+# This workflow builds and publishes official Docker images to Docker Hub.
+# It handles multi-platform builds (amd64, arm/v7, arm64/v8) and pushes tagged releases.
+# This workflow is triggered on tags, specific branches, and can be manually dispatched.
+# For quick build checks during development, see docker-check.yml
 name: Docker Push

 on:
--- a/.hadolint.yaml
+++ b/.hadolint.yaml
@ -0,0 +1,13 @@
+# Hadolint configuration for Kubo Docker image
+# https://github.com/hadolint/hadolint
+
+# Ignore specific rules
+ignored:
+  # DL3008: Pin versions in apt-get install
+  # We use stable base images and prefer smaller layers over version pinning
+  - DL3008
+
+# Trust base images from these registries
+trustedRegistries:
+  - docker.io
+  - gcr.io
--- a/7
+++ b/7
@ -8,9 +8,9 @@ ENV SRC_DIR=/kubo

 # Cache go module downloads between builds for faster rebuilds
 COPY go.mod go.sum $SRC_DIR/
+WORKDIR $SRC_DIR
 RUN --mount=type=cache,target=/go/pkg/mod \
-  cd $SRC_DIR \
-  && go mod download
+  go mod download

 COPY . $SRC_DIR

@ -25,8 +25,7 @@ ARG MAKE_TARGET=build
 # mkdir .git/objects allows git rev-parse to read commit hash for version info
 RUN --mount=type=cache,target=/go/pkg/mod \
  --mount=type=cache,target=/root/.cache/go-build \
-  cd $SRC_DIR \
-  && mkdir -p .git/objects \
+  mkdir -p .git/objects \
  && GOOS=$TARGETOS GOARCH=$TARGETARCH GOFLAGS=-buildvcs=false make ${MAKE_TARGET} IPFS_PLUGINS=$IPFS_PLUGINS

 # Extract required runtime tools from Debian.