mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-29 06:31:32 +00:00
b2168bf349
Phase 0.5 of the s6-overlay supervision plan. Catches Dockerfile and shell-script regressions that the behavioral docker-publish smoke test can't surface — unquoted variable expansions, silently-failing RUN commands, missing apt-get clean, etc. Both lint clean against the current (tini) Dockerfile + entrypoint.sh at the configured thresholds (hadolint: warning, shellcheck: error). Each ignore in .hadolint.yaml carries a one-line justification; the shellcheck severity floor is documented in the workflow file. Refs: docs/plans/2026-05-07-s6-overlay-dynamic-subagent-gateways.md
68 lines
2 KiB
YAML
68 lines
2 KiB
YAML
name: Docker / shell lint
|
|
|
|
# Lints the container build inputs: Dockerfile (via hadolint) and any shell
|
|
# scripts under docker/ (via shellcheck). These catch the class of regression
|
|
# the behavioral docker-publish smoke test can't — unquoted variable
|
|
# expansions, silently-failing RUN commands, etc.
|
|
#
|
|
# Rules and ignores are documented in .hadolint.yaml at the repo root.
|
|
# shellcheck severity is pinned to `error` so SC1091-style "can't follow
|
|
# sourced script" info-level warnings don't fail the job — the .venv
|
|
# activate script doesn't exist at lint time.
|
|
|
|
on:
|
|
push:
|
|
branches: [main]
|
|
paths:
|
|
- Dockerfile
|
|
- docker/**
|
|
- .hadolint.yaml
|
|
- .github/workflows/docker-lint.yml
|
|
pull_request:
|
|
branches: [main]
|
|
paths:
|
|
- Dockerfile
|
|
- docker/**
|
|
- .hadolint.yaml
|
|
- .github/workflows/docker-lint.yml
|
|
|
|
permissions:
|
|
contents: read
|
|
|
|
concurrency:
|
|
group: docker-lint-${{ github.ref }}
|
|
cancel-in-progress: true
|
|
|
|
jobs:
|
|
hadolint:
|
|
name: Lint Dockerfile (hadolint)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: hadolint
|
|
uses: hadolint/hadolint-action@54c9adbab1582c2ef04b2016b760714a4bfde3cf # v3.1.0
|
|
with:
|
|
dockerfile: Dockerfile
|
|
config: .hadolint.yaml
|
|
failure-threshold: warning
|
|
|
|
shellcheck:
|
|
name: Lint docker/ shell scripts (shellcheck)
|
|
runs-on: ubuntu-latest
|
|
timeout-minutes: 5
|
|
steps:
|
|
- name: Checkout code
|
|
uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
|
|
|
|
- name: shellcheck
|
|
uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
|
|
env:
|
|
# Severity = error: SC1091 (can't follow sourced script) is info-
|
|
# level and would otherwise fail when the venv activate script
|
|
# doesn't exist at lint time.
|
|
SHELLCHECK_OPTS: --severity=error
|
|
with:
|
|
scandir: ./docker
|