diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-check.yml similarity index 63% rename from .github/workflows/docker-build.yml rename to .github/workflows/docker-check.yml index 24ece3fa4..e11f9830d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-check.yml @@ -1,5 +1,7 @@ -# If we decide to run build-image.yml on every PR, we could deprecate this workflow. -name: Docker Build +# This workflow performs a quick Docker build check on PRs and pushes to master. +# It builds the Docker image and runs a basic smoke test to ensure the image works. +# This is a lightweight check - for full multi-platform builds and publishing, see docker-image.yml +name: Docker Check on: workflow_dispatch: @@ -15,7 +17,20 @@ concurrency: cancel-in-progress: true jobs: - docker-build: + lint: + if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@v5 + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + failure-threshold: warning + verbose: true + format: tty + + build: if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest timeout-minutes: 10 diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 6d89c2980..4564c060e 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,3 +1,7 @@ +# This workflow builds and publishes official Docker images to Docker Hub. +# It handles multi-platform builds (amd64, arm/v7, arm64/v8) and pushes tagged releases. +# This workflow is triggered on tags, specific branches, and can be manually dispatched. +# For quick build checks during development, see docker-check.yml name: Docker Push on: diff --git a/.hadolint.yaml b/.hadolint.yaml new file mode 100644 index 000000000..78b3d23bf --- /dev/null +++ b/.hadolint.yaml @@ -0,0 +1,13 @@ +# Hadolint configuration for Kubo Docker image +# https://github.com/hadolint/hadolint + +# Ignore specific rules +ignored: + # DL3008: Pin versions in apt-get install + # We use stable base images and prefer smaller layers over version pinning + - DL3008 + +# Trust base images from these registries +trustedRegistries: + - docker.io + - gcr.io \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 0db5f33b4..6d43beefa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,9 +8,9 @@ ENV SRC_DIR=/kubo # Cache go module downloads between builds for faster rebuilds COPY go.mod go.sum $SRC_DIR/ +WORKDIR $SRC_DIR RUN --mount=type=cache,target=/go/pkg/mod \ - cd $SRC_DIR \ - && go mod download + go mod download COPY . $SRC_DIR @@ -25,8 +25,7 @@ ARG MAKE_TARGET=build # mkdir .git/objects allows git rev-parse to read commit hash for version info RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ - cd $SRC_DIR \ - && mkdir -p .git/objects \ + mkdir -p .git/objects \ && GOOS=$TARGETOS GOARCH=$TARGETARCH GOFLAGS=-buildvcs=false make ${MAKE_TARGET} IPFS_PLUGINS=$IPFS_PLUGINS # Extract required runtime tools from Debian.