setup(repo): initial commit

Articola-Tools · Oct 12, 2024 · b88c57d · b88c57d
1 parent ea6276b
commit b88c57d
Show file tree

Hide file tree

Showing 12 changed files with 188 additions and 2 deletions.
diff --git a/.dockerignore b/.dockerignore
@@ -0,0 +1,7 @@
+.idea
+.github
+.git
+.dockerignore
+Dockerfile
+LICENSE
+README.md
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -0,0 +1,10 @@
+version: 2
+updates:
+    - package-ecosystem: "github-actions"
+      directory: "/"
+      schedule:
+          interval: "daily"
+    - package-ecosystem: "docker"
+      directory: "/"
+      schedule:
+          interval: "daily"
diff --git a/.github/workflows/build_and_push_docker_image.yml b/.github/workflows/build_and_push_docker_image.yml
@@ -0,0 +1,52 @@
+name: "Build and push Dockerfile linter Docker image"
+
+on:
+    push:
+        branches:
+            - "main"
+        paths:
+            - ".dockerignore"
+            - "Dockerfile"
+
+permissions:
+    contents: "read"
+    packages: "write"
+    id-token: "write"
+
+env:
+    REGISTRY: "ghcr.io"
+    IMAGE_NAME: "articola-tools/dockerfile-linter"
+
+jobs:
+    build-and-push:
+        runs-on: "ubuntu-latest"
+        # NOTE: building and pushing Docker image of Dockerfile linter take around 1 minute.
+        # If this job takes more than 5 minutes, it means that something is wrong.
+        timeout-minutes: 5
+        steps:
+            - name: "Checkout ${{ github.event.repository.name }}"
+              uses: "actions/checkout@v4"
+
+            - name: "Add short hash of current commit to environment variables"
+              run: "echo \"CURRENT_COMMIT_SHORT_HASH=$(git rev-parse --short \"$GITHUB_SHA\")\" >> \"$GITHUB_ENV\""
+
+            - name: "Set up Docker Buildx"
+              uses: "docker/setup-buildx-action@v3"
+
+            - name: "Login to Docker registry"
+              uses: "docker/login-action@v3"
+              with:
+                  registry: "${{ env.REGISTRY }}"
+                  username: "${{ github.actor }}"
+                  password: "${{ secrets.GITHUB_TOKEN }}"
+
+            - name: "Build and push Dockerfile linter Docker image"
+              uses: "docker/build-push-action@v6"
+              id: "build-and-push"
+              with:
+                  context: "."
+                  push: true
+                  tags: "${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest,
+                         ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:${{ env.CURRENT_COMMIT_SHORT_HASH }}"
+                  cache-from: "type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+                  cache-to: "type=inline"
diff --git a/.github/workflows/validate_new_changes.yml b/.github/workflows/validate_new_changes.yml
@@ -0,0 +1,59 @@
+name: "New changes validation"
+
+on:
+    pull_request:  # yamllint disable-line rule:empty-values
+
+permissions:
+    contents: "read"
+    packages: "read"
+
+env:
+    REGISTRY: "ghcr.io"
+    IMAGE_NAME: "articola-tools/dockerfile-linter"
+
+jobs:
+    validate-dockerfile-linter-image:
+        runs-on: "ubuntu-latest"
+        # NOTE: building and running Docker image of Dockerfile linter take around 1 minute.
+        # If this job takes more than 5 minutes, it means that something is wrong.
+        timeout-minutes: 5
+        steps:
+            - name: "Checkout ${{ github.event.repository.name }}"
+              uses: "actions/checkout@v4"
+
+            - name: "Set up Docker Buildx"
+              uses: "docker/setup-buildx-action@v3"
+
+            - name: "Login to Docker registry"
+              uses: "docker/login-action@v3"
+              with:
+                  registry: "${{ env.REGISTRY }}"
+                  username: "${{ github.actor }}"
+                  password: "${{ secrets.GITHUB_TOKEN }}"
+
+            - name: "Build Dockerfile linter Docker image"
+              uses: "docker/build-push-action@v6"
+              with:
+                  push: false
+                  load: true
+                  # NOTE: using another name to don't allow docker to download image from the internet in the next step.
+                  tags: "local/dockerfile-linter-pr:latest"
+                  cache-from: "type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
+                  cache-to: "type=inline"
+
+            - name: "Run local Dockerfile linter"
+              run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo local/dockerfile-linter-pr:latest"
+
+            - name: "Run Trivy vulnerability scanner"
+              uses: "aquasecurity/[email protected]"
+              env:
+                  # NOTE: this is needed because sometimes GHCR hits the rate limit, and AWS will be used instead.
+                  TRIVY_DB_REPOSITORY: "ghcr.io/aquasecurity/trivy-db,public.ecr.aws/aquasecurity/trivy-db"
+              with:
+                  image-ref: "local/dockerfile-linter-pr:latest"
+                  format: "table"
+                  exit-code: "1"
+                  ignore-unfixed: true
+                  vuln-type: "os,library"
+                  severity: "CRITICAL,HIGH,MEDIUM,LOW"
+                  scanners: "vuln,secret,misconfig"
diff --git a/.idea/.gitignore b/.idea/.gitignore
diff --git a/.idea/dockerfile-linter.iml b/.idea/dockerfile-linter.iml
diff --git a/.idea/misc.xml b/.idea/misc.xml
diff --git a/.idea/modules.xml b/.idea/modules.xml
diff --git a/.idea/vcs.xml b/.idea/vcs.xml
diff --git a/Dockerfile b/Dockerfile
@@ -0,0 +1,12 @@
+FROM ghcr.io/hadolint/hadolint:2.12.1-beta-alpine
+
+COPY ./ /linter_workdir
+
+# NOTE: we need to have a separate directory for linter to work only with needed files,
+# not with files from the entire system.
+WORKDIR /linter_workdir
+
+HEALTHCHECK --timeout=1s --retries=1 CMD hadolint --version || exit 1
+
+ENTRYPOINT ["/bin/sh", "-c", "find /linter_workdir/repo -name 'Dockerfile*' -type f | \
+while read -r dockerfile; do hadolint \"$dockerfile\"; done"]
diff --git a/LICENSE b/LICENSE
@@ -186,7 +186,7 @@
       same "printed page" as the copyright notice for easier
       identification within third-party archives.
 
-   Copyright [yyyy] [name of copyright owner]
+   Copyright 2024 Articola Tools
 
    Licensed under the Apache License, Version 2.0 (the "License");
    you may not use this file except in compliance with the License.

diff --git a/README.md b/README.md
@@ -1 +1,15 @@
-# dockerfile-linter
+# Articola Tools' Dockerfile linter
+
+[![image size](https://ghcr-badge.egpl.dev/articola-tools/dockerfile-linter/size?color=dodgerblue)](https://ghcr-badge.egpl.dev/articola-tools/dockerfile-linter/size?color=dodgerblue)
+
+This repo contains Dockerfile with preconfigured [Dockerfile linter](https://github.com/hadolint/hadolint?tab=readme-ov-file#rules).
+This linter is used in Articola Tools organization's repositories to lint Dockerfile files like
+other linters.
+
+## Usage
+
+Use `ghcr.io/articola-tools/dockerfile-linter` Docker image with `-v ./:/linter_workdir/repo`
+parameter, where `./` - is a path to a folder with files you want to lint.
+
+Example command to use this linter -
+`docker run --rm -v ./:/linter_workdir/repo ghcr.io/articola-tools/dockerfile-linter`