From 2f831e386e152895a67dd7f78ae255fae8d76000 Mon Sep 17 00:00:00 2001
From: TriplEight <pisarevden@gmail.com>
Date: Sun, 22 Mar 2026 09:57:36 +0100
Subject: [PATCH] ci: replace unsecured curl hadolint download with an official
 action

  hadolint/hadolint-action uses a Docker-based runner with hadolint
  pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian,so no binary
  downloaded at runtime. Pinning the action to a commit SHA covers the
  Dockerfile that specifies the image version, closing the supply-chain
  gap from the previous unverified curl | sudo install.

  Split {debian,alpine}: the action takes a single dockerfile argument,
  so debian and alpine are linted separately.
---
 .github/workflows/hadolint.yml | 21 +++++++++++----------
 1 file changed, 11 insertions(+), 10 deletions(-)

diff --git a/.github/workflows/hadolint.yml b/.github/workflows/hadolint.yml
index 2b476904..39f10c55 100644
--- a/.github/workflows/hadolint.yml
+++ b/.github/workflows/hadolint.yml
@@ -30,14 +30,6 @@ jobs:
           driver-opts: |
             network=host
 
-      # Download hadolint - https://github.com/hadolint/hadolint/releases
-      - name: Download hadolint
-        run: |
-          sudo curl -L https://github.com/hadolint/hadolint/releases/download/v${HADOLINT_VERSION}/hadolint-$(uname -s)-$(uname -m) -o /usr/local/bin/hadolint && \
-          sudo chmod +x /usr/local/bin/hadolint
-        env:
-          HADOLINT_VERSION: 2.14.0
-      # End Download hadolint
       # Checkout the repo
       - name: Checkout
         uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -46,8 +38,17 @@ jobs:
       # End Checkout the repo
 
       # Test Dockerfiles with hadolint
-      - name: Run hadolint
-        run: hadolint docker/Dockerfile.{debian,alpine}
+      # Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian)
+      # so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety.
+      - name: Run hadolint on Dockerfile.debian
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: docker/Dockerfile.debian
+
+      - name: Run hadolint on Dockerfile.alpine
+        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0
+        with:
+          dockerfile: docker/Dockerfile.alpine
       # End Test Dockerfiles with hadolint
 
       # Test Dockerfiles with docker build checks