name: Docker / shell lint # Lints the container build inputs: Dockerfile (via hadolint) and any shell # scripts under docker/ (via shellcheck). These catch the class of regression # the behavioral docker-publish smoke test can't — unquoted variable # expansions, silently-failing RUN commands, etc. # # Rules and ignores are documented in .hadolint.yaml at the repo root. # shellcheck severity is pinned to `error` so SC1091-style "can't follow # sourced script" info-level warnings don't fail the job — the .venv # activate script doesn't exist at lint time. on: push: branches: [main] paths: - Dockerfile - docker/** - .hadolint.yaml - .github/workflows/docker-lint.yml pull_request: branches: [main] paths: - Dockerfile - docker/** - .hadolint.yaml - .github/workflows/docker-lint.yml permissions: contents: read concurrency: group: docker-lint-${{ github.ref }} cancel-in-progress: true jobs: hadolint: name: Lint Dockerfile (hadolint) runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: hadolint uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0 with: dockerfile: Dockerfile config: .hadolint.yaml failure-threshold: warning shellcheck: name: Lint docker/ shell scripts (shellcheck) runs-on: ubuntu-latest timeout-minutes: 5 steps: - name: Checkout code uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - name: shellcheck uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0 env: # Severity = error: SC1091 (can't follow sourced script) is info- # level and would otherwise fail when the venv activate script # doesn't exist at lint time. SHELLCHECK_OPTS: --severity=error with: scandir: ./docker