name: Hadolint permissions: {} concurrency: group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }} cancel-in-progress: true on: [ push, pull_request ] defaults: run: shell: bash jobs: hadolint: name: Validate Dockerfile syntax runs-on: ubuntu-24.04 timeout-minutes: 30 steps: # Start Docker Buildx - name: Setup Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 # https://github.com/moby/buildkit/issues/3969 # Also set max parallelism to 2, the default of 4 breaks GitHub Actions and causes OOMKills with: buildkitd-config-inline: | [worker.oci] max-parallelism = 2 driver-opts: | network=host # Checkout the repo - name: Checkout uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3 with: persist-credentials: false # End Checkout the repo # Test Dockerfiles with hadolint # Uses the Docker-based action (hadolint pre-bundled in ghcr.io/hadolint/hadolint:v2.14.0-debian) # so no binary is downloaded at runtime. Pinned by commit SHA for supply-chain safety. - name: Run hadolint on Dockerfile.debian uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: docker/Dockerfile.debian - name: Run hadolint on Dockerfile.alpine uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 with: dockerfile: docker/Dockerfile.alpine # End Test Dockerfiles with hadolint # Test Dockerfiles with docker build checks - name: Run docker build check run: | echo "Checking docker/Dockerfile.debian" docker build --check . -f docker/Dockerfile.debian echo "Checking docker/Dockerfile.alpine" docker build --check . -f docker/Dockerfile.alpine # End Test Dockerfiles with docker build checks