feat(ci): docker linting (#10927)

* feat(ci): docker linting

adds hadolint to validate dockerfile best practices
configures project-specific rules in .hadolint.yaml

* fix(ci): enable hadolint console output

adds verbose and tty format to see linting results in CI logs

* test: trigger hadolint warning

remove --no-install-recommends to test CI output

* fix(ci): fail hadolint on warnings

stricter linting to catch all best practice violations

* fix: add --no-install-recommends to apt-get

reduces image size by avoiding unnecessary packages

* refactor: use WORKDIR instead of cd in dockerfile

replaces cd commands with WORKDIR for cleaner dockerfile
removes unnecessary hadolint ignore rules DL3003 and DL3009

* chore: simplify hadolint config

removes unnecessary override rules for cleaner config

.github/workflows/docker-check.yml

@@ -1,5 +1,7 @@
-# If we decide to run build-image.yml on every PR, we could deprecate this workflow.
-name: Docker Build
+# This workflow performs a quick Docker build check on PRs and pushes to master.
+# It builds the Docker image and runs a basic smoke test to ensure the image works.
+# This is a lightweight check - for full multi-platform builds and publishing, see docker-image.yml
+name: Docker Check
 
 on:
   workflow_dispatch:
@@ -15,7 +17,20 @@ concurrency:
   cancel-in-progress: true
 
 jobs:
-  docker-build:
+  lint:
+    if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch'
+    runs-on: ubuntu-latest
+    timeout-minutes: 5
+    steps:
+      - uses: actions/checkout@v5
+      - uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
+          failure-threshold: warning
+          verbose: true
+          format: tty
+
+  build:
     if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch'
     runs-on: ubuntu-latest
     timeout-minutes: 10

.github/workflows/docker-image.yml

@@ -1,3 +1,7 @@
+# This workflow builds and publishes official Docker images to Docker Hub.
+# It handles multi-platform builds (amd64, arm/v7, arm64/v8) and pushes tagged releases.
+# This workflow is triggered on tags, specific branches, and can be manually dispatched.
+# For quick build checks during development, see docker-check.yml
 name: Docker Push
 
 on:

.hadolint.yaml

@@ -0,0 +1,13 @@
+# Hadolint configuration for Kubo Docker image
+# https://github.com/hadolint/hadolint
+
+# Ignore specific rules
+ignored:
+  # DL3008: Pin versions in apt-get install
+  # We use stable base images and prefer smaller layers over version pinning
+  - DL3008
+
+# Trust base images from these registries
+trustedRegistries:
+  - docker.io
+  - gcr.io

Dockerfile

@@ -8,9 +8,9 @@ ENV SRC_DIR=/kubo
 
 # Cache go module downloads between builds for faster rebuilds
 COPY go.mod go.sum $SRC_DIR/
+WORKDIR $SRC_DIR
 RUN --mount=type=cache,target=/go/pkg/mod \
-  cd $SRC_DIR \
-  && go mod download
+  go mod download
 
 COPY . $SRC_DIR
 
@@ -25,8 +25,7 @@ ARG MAKE_TARGET=build
 # mkdir .git/objects allows git rev-parse to read commit hash for version info
 RUN --mount=type=cache,target=/go/pkg/mod \
   --mount=type=cache,target=/root/.cache/go-build \
-  cd $SRC_DIR \
-  && mkdir -p .git/objects \
+  mkdir -p .git/objects \
   && GOOS=$TARGETOS GOARCH=$TARGETARCH GOFLAGS=-buildvcs=false make ${MAKE_TARGET} IPFS_PLUGINS=$IPFS_PLUGINS
 
 # Extract required runtime tools from Debian.