1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
|
---
name: Hadolint
permissions: read-all
on:
workflow_call:
inputs:
output_prefix:
description: 'Prefix to add to output artifacts'
required: false
default: ''
type: string
jobs:
scan:
runs-on: [self-hosted, linux, docker]
steps:
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
- name: Checkout PR branch
uses: actions/checkout@v4
with:
path: source
- name: Pull docker image
run: docker pull hadolint/hadolint
- name: Lint
run: |
mkdir artifact
echo "Hadolint Report" \
> artifact/hadolint.txt
walk_dir () {
shopt -s nullglob dotglob
for pathname in "$1"/*; do
retVal=0
if [ -d "$pathname" ]; then
walk_dir "$pathname" || retVal=$?
if [ $retVal -ne 0 ]; then
RC=$retVal
fi
else
case "$pathname" in
*Dockerfile*|*dockerfile*)
echo "Checking $pathname"
echo "" >> artifact/hadolint.txt
echo " $pathname" \
>> artifact/hadolint.txt
echo "----------" \
>> artifact/hadolint.txt
docker run --rm \
-i --attach stderr --attach stdout \
-v $(pwd)/source:/source \
-w /source \
hadolint/hadolint \
< $pathname 2>&1 \
>> artifact/hadolint.txt \
|| retVal=$?
if [ $retVal -ne 0 ]; then
RC=$retVal
fi
esac
fi
done
return $RC
}
walk_dir "$(pwd)/source"
- name: Summarize
if: (failure())
run: |
echo '```' >> $GITHUB_STEP_SUMMARY
cat artifact/hadolint.txt \
>> $GITHUB_STEP_SUMMARY
echo '```' >> $GITHUB_STEP_SUMMARY
- name: Report
if: (success() || failure())
run: |
cat artifact/hadolint.txt
- name: Record Artifacts
uses: actions/upload-artifact@v4
if: (success() || failure())
with:
name: ${{ inputs.output_prefix }}hadolint
path: artifact/*
- name: Cleanup workspace
run: sudo rm -rf ..?* .[!.]* *
|
