From 82fef0c04569701f34f769f9f8cc29f0f6ec0621 Mon Sep 17 00:00:00 2001 From: Marcin Rataj Date: Tue, 26 Aug 2025 17:01:06 +0200 Subject: [PATCH] feat(ci): docker linting (#10927) * feat(ci): docker linting adds hadolint to validate dockerfile best practices configures project-specific rules in .hadolint.yaml * fix(ci): enable hadolint console output adds verbose and tty format to see linting results in CI logs * test: trigger hadolint warning remove --no-install-recommends to test CI output * fix(ci): fail hadolint on warnings stricter linting to catch all best practice violations * fix: add --no-install-recommends to apt-get reduces image size by avoiding unnecessary packages * refactor: use WORKDIR instead of cd in dockerfile replaces cd commands with WORKDIR for cleaner dockerfile removes unnecessary hadolint ignore rules DL3003 and DL3009 * chore: simplify hadolint config removes unnecessary override rules for cleaner config --- .../{docker-build.yml => docker-check.yml} | 21 ++++++++++++++++--- .github/workflows/docker-image.yml | 4 ++++ .hadolint.yaml | 13 ++++++++++++ Dockerfile | 7 +++---- 4 files changed, 38 insertions(+), 7 deletions(-) rename .github/workflows/{docker-build.yml => docker-check.yml} (63%) create mode 100644 .hadolint.yaml diff --git a/.github/workflows/docker-build.yml b/.github/workflows/docker-check.yml similarity index 63% rename from .github/workflows/docker-build.yml rename to .github/workflows/docker-check.yml index 24ece3fa4..e11f9830d 100644 --- a/.github/workflows/docker-build.yml +++ b/.github/workflows/docker-check.yml @@ -1,5 +1,7 @@ -# If we decide to run build-image.yml on every PR, we could deprecate this workflow. -name: Docker Build +# This workflow performs a quick Docker build check on PRs and pushes to master. +# It builds the Docker image and runs a basic smoke test to ensure the image works. +# This is a lightweight check - for full multi-platform builds and publishing, see docker-image.yml +name: Docker Check on: workflow_dispatch: @@ -15,7 +17,20 @@ concurrency: cancel-in-progress: true jobs: - docker-build: + lint: + if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch' + runs-on: ubuntu-latest + timeout-minutes: 5 + steps: + - uses: actions/checkout@v5 + - uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: Dockerfile + failure-threshold: warning + verbose: true + format: tty + + build: if: github.repository == 'ipfs/kubo' || github.event_name == 'workflow_dispatch' runs-on: ubuntu-latest timeout-minutes: 10 diff --git a/.github/workflows/docker-image.yml b/.github/workflows/docker-image.yml index 6d89c2980..4564c060e 100644 --- a/.github/workflows/docker-image.yml +++ b/.github/workflows/docker-image.yml @@ -1,3 +1,7 @@ +# This workflow builds and publishes official Docker images to Docker Hub. +# It handles multi-platform builds (amd64, arm/v7, arm64/v8) and pushes tagged releases. +# This workflow is triggered on tags, specific branches, and can be manually dispatched. +# For quick build checks during development, see docker-check.yml name: Docker Push on: diff --git a/.hadolint.yaml b/.hadolint.yaml new file mode 100644 index 000000000..78b3d23bf --- /dev/null +++ b/.hadolint.yaml @@ -0,0 +1,13 @@ +# Hadolint configuration for Kubo Docker image +# https://github.com/hadolint/hadolint + +# Ignore specific rules +ignored: + # DL3008: Pin versions in apt-get install + # We use stable base images and prefer smaller layers over version pinning + - DL3008 + +# Trust base images from these registries +trustedRegistries: + - docker.io + - gcr.io \ No newline at end of file diff --git a/Dockerfile b/Dockerfile index 0db5f33b4..6d43beefa 100644 --- a/Dockerfile +++ b/Dockerfile @@ -8,9 +8,9 @@ ENV SRC_DIR=/kubo # Cache go module downloads between builds for faster rebuilds COPY go.mod go.sum $SRC_DIR/ +WORKDIR $SRC_DIR RUN --mount=type=cache,target=/go/pkg/mod \ - cd $SRC_DIR \ - && go mod download + go mod download COPY . $SRC_DIR @@ -25,8 +25,7 @@ ARG MAKE_TARGET=build # mkdir .git/objects allows git rev-parse to read commit hash for version info RUN --mount=type=cache,target=/go/pkg/mod \ --mount=type=cache,target=/root/.cache/go-build \ - cd $SRC_DIR \ - && mkdir -p .git/objects \ + mkdir -p .git/objects \ && GOOS=$TARGETOS GOARCH=$TARGETARCH GOFLAGS=-buildvcs=false make ${MAKE_TARGET} IPFS_PLUGINS=$IPFS_PLUGINS # Extract required runtime tools from Debian.