feat(ci): setup Dockerfile changes check

Articola-Tools · Oct 13, 2024 · c437628 · c437628
1 parent 95a2041
commit c437628
Show file tree

Hide file tree

Showing 2 changed files with 64 additions and 13 deletions.
diff --git a/.github/workflows/validate_new_changes.yml b/.github/workflows/validate_new_changes.yml
@@ -15,9 +15,10 @@ jobs:
     find-changed-files:
         runs-on: "ubuntu-latest"
         outputs:
-            is_yaml_changed: "${{ steps.variables-setup.outputs.is_yaml_changed }}"
-            is_dockerfile_changed: "${{ steps.variables-setup.outputs.is_dockerfile_changed }}"
-            is_markdown_changed: "${{ steps.variables-setup.outputs.is_markdown_changed }}"
+            is_yaml_changed: "${{ steps.filter.outputs.yaml }}"
+            is_dockerfile_changed: "${{ steps.filter.outputs.dockerfile }}"
+            is_yaml_linter_image_changed: "${{ steps.filter.outputs.yaml-linter-image }}"
+            is_markdown_changed: "${{ steps.filter.outputs.markdown }}"
         permissions:
             pull-requests: "read"
         steps:
@@ -36,20 +37,18 @@ jobs:
                       - "**/*.yml"
                       dockerfile:
                       - "**/Dockerfile"
+                      yaml-linter-image:
+                      - "**/Dockerfile"
+                      - "**/.dockerignore"
+                      - "**/.yamllint"
                       markdown:
                       - "**/*.md"
-                  token: "${{ secrets.GITHUB_TOKEN }}"
-            - name: "Setup job variables"
-              id: "variables-setup"
-              run: |
-                  echo "is_yaml_changed=${{ steps.filter.outputs.yaml }}" >> $GITHUB_OUTPUT
-                  echo "is_dockerfile_changed=${{ steps.filter.outputs.dockerfile }})" >> $GITHUB_OUTPUT
-                  echo "is_markdown_changed=${{ steps.filter.outputs.markdown }})" >> $GITHUB_OUTPUT
 
     validate-yaml-linter-image:
         runs-on: "ubuntu-latest"
         needs: "find-changed-files"
-        if: "${{ needs.find-changed-files.outputs.is_yaml_changed == 'true' }}"
+        if: "${{ needs.find-changed-files.outputs.is_yaml_linter_image_changed == 'true' }}"
+
         # NOTE: building and running Docker image of YAML linter take around 1 minute.
         # If this job takes more than 5 minutes, it means that something is wrong.
         timeout-minutes: 5
@@ -72,6 +71,7 @@ jobs:
               with:
                   push: false
                   load: true
+
                   # NOTE: using another name to don't allow docker to download image from the internet in the next step.
                   tags: "local/yaml-linter-pr:latest"
                   cache-from: "type=registry,ref=${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
@@ -92,4 +92,55 @@ jobs:
                   ignore-unfixed: true
                   vuln-type: "os,library"
                   severity: "CRITICAL,HIGH,MEDIUM,LOW"
-                  scanners: "vuln,secret,misconfig"
+                  scanners: "vuln,secret,misconfig"
+
+    validate-dockerfile-changes:
+        runs-on: "ubuntu-latest"
+        needs: "find-changed-files"
+        if: "${{ needs.find-changed-files.outputs.is_dockerfile_changed == 'true' }}"
+
+        # NOTE: validating Dockerfile changes takes around 1 minute.
+        # If this job takes more than 5 minutes, it means that something is wrong.
+        timeout-minutes: 5
+        steps:
+            - name: "Checkout ${{ github.event.repository.name }}"
+              uses: "actions/checkout@v4"
+
+            - name: "Login to Docker registry"
+              uses: "docker/login-action@v3"
+              with:
+                  registry: "${{ env.REGISTRY }}"
+                  username: "${{ github.actor }}"
+                  password: "${{ secrets.GITHUB_TOKEN }}"
+
+            - name: "Run Dockerfile linter"
+              run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo
+                    ${{ env.REGISTRY }}/articola-tools/dockerfile-linter:latest"
+
+    validate-yaml-changes:
+        runs-on: "ubuntu-latest"
+        needs: "find-changed-files"
+
+        # NOTE: do not run this job when `is_yaml_linter_image_changed` is true, because this job validates YAML changes
+        # with the latest released yaml-linter image, and new changes in yaml-linter image can introduce false positives for
+        # this job (since changes in yaml-linter can change YAML rules).
+        if: "${{ needs.find-changed-files.outputs.is_yaml_changed == 'true'
+             && needs.find-changed-files.outputs.is_yaml_linter_image_changed == 'false' }}"
+
+        # NOTE: validating YAML changes takes around 1 minute.
+        # If this job takes more than 5 minutes, it means that something is wrong.
+        timeout-minutes: 5
+        steps:
+            - name: "Checkout ${{ github.event.repository.name }}"
+              uses: "actions/checkout@v4"
+
+            - name: "Login to Docker registry"
+              uses: "docker/login-action@v3"
+              with:
+                  registry: "${{ env.REGISTRY }}"
+                  username: "${{ github.actor }}"
+                  password: "${{ secrets.GITHUB_TOKEN }}"
+
+            - name: "Run YAML linter"
+              run: "docker run --rm -v ${{ github.workspace }}:/linter_workdir/repo
+                    ${{ env.REGISTRY }}/${{ env.IMAGE_NAME }}:latest"
diff --git a/Dockerfile b/Dockerfile
@@ -2,7 +2,7 @@ FROM python:3.13.0-alpine
 
 RUN addgroup -S lintergroup && adduser -S linteruser -G lintergroup
 
-RUN pip install --no-cache-dir yamllint
+RUN pip install --no-cache-dir yamllint==1.35.1
 
 COPY ./ /linter_workdir
 RUN chown -R linteruser:lintergroup /linter_workdir