From 601efabd7d46a50e137ed8ac8a6a5d8c72af3781 Mon Sep 17 00:00:00 2001
From: =?UTF-8?q?=E7=BD=97=E6=B3=BD=E8=BD=A9?= <spacewanderlzx@gmail.com>
Date: Tue, 16 Jul 2024 10:34:11 +0800
Subject: [PATCH] ci: lint dockerfile (#636)

Signed-off-by: spacewander <spacewanderlzx@gmail.com>
---
 .github/workflows/lint.yml     | 13 +++++++++++++
 manifests/images/cp/Dockerfile |  5 +++--
 manifests/images/dp/Dockerfile |  5 +++--
 site/Dockerfile                |  3 ++-
 tools/Dockerfile.dev           |  9 +++++----
 5 files changed, 26 insertions(+), 9 deletions(-)

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
index ee3aa173..b328fca6 100644
--- a/.github/workflows/lint.yml
+++ b/.github/workflows/lint.yml
@@ -109,6 +109,19 @@ jobs:
         pattern: "*.sh"
         fail_on_error: true
 
+    - name: lint dockerfile
+      uses: hadolint/hadolint-action@v3.1.0
+      with:
+        dockerfile: Dockerfile
+        recursive: true
+        failure-threshold: warning
+
+    - name: lint dev dockerfile
+      uses: hadolint/hadolint-action@v3.1.0
+      with:
+        dockerfile: ./tools/Dockerfile.dev
+        failure-threshold: warning
+
     - name: lint remain
       run: |
         make lint-remain
diff --git a/manifests/images/cp/Dockerfile b/manifests/images/cp/Dockerfile
index dedc1ba4..d68909dc 100644
--- a/manifests/images/cp/Dockerfile
+++ b/manifests/images/cp/Dockerfile
@@ -34,9 +34,10 @@ COPY plugins/ plugins/
 COPY controller/ controller/
 # Remember to run `make prebuild` before building the image
 COPY external/istio/ external/istio/
-RUN cd ./external/istio && \
-    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -C pilot/cmd/pilot-discovery -a -o /workspace/pilot-discovery
+WORKDIR /workspace/external/istio
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -C pilot/cmd/pilot-discovery -a -o /workspace/pilot-discovery
 
+# hadolint ignore=DL3006
 FROM ${CONTROLLER_BASE_IMAGE}
 
 # Labels below are consumed by GitHub Container Registry
diff --git a/manifests/images/dp/Dockerfile b/manifests/images/dp/Dockerfile
index 03b5ad79..8845d03b 100644
--- a/manifests/images/dp/Dockerfile
+++ b/manifests/images/dp/Dockerfile
@@ -33,9 +33,10 @@ COPY plugins/ plugins/
 COPY controller/ controller/
 # Remember to run `make prebuild` before building the image
 COPY external/istio/ external/istio/
-RUN cd ./external/istio && \
-    CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -C pilot/cmd/pilot-agent -a -o /workspace/pilot-agent
+WORKDIR /workspace/external/istio
+RUN CGO_ENABLED=0 GOOS=${TARGETOS:-linux} GOARCH=${TARGETARCH} go build -C pilot/cmd/pilot-agent -a -o /workspace/pilot-agent
 
+# hadolint ignore=DL3006
 FROM ${PROXY_BASE_IMAGE}
 
 # Labels below are consumed by GitHub Container Registry
diff --git a/site/Dockerfile b/site/Dockerfile
index 1a7fd95c..b05616fd 100644
--- a/site/Dockerfile
+++ b/site/Dockerfile
@@ -15,5 +15,6 @@
 # Use debian image for ARM64 support
 FROM floryn90/hugo:ext-debian@sha256:fee85ef1ff05dce85043b445fb7e1774594f35a943e7c019a378de345d91cf18
 
-RUN apt install -y --no-install-recommends git && \
+# hadolint ignore=DL3008
+RUN apt-get install -y --no-install-recommends git && \
   git config --global --add safe.directory /src
diff --git a/tools/Dockerfile.dev b/tools/Dockerfile.dev
index 0cd5240e..70c2c5f1 100644
--- a/tools/Dockerfile.dev
+++ b/tools/Dockerfile.dev
@@ -31,15 +31,16 @@ ARG GOPROXY
 ENV GOPROXY=$GOPROXY
 
 # codespell
-RUN apt update && apt install -y --no-install-recommends pip && pip install codespell==2.2.6
+# hadolint ignore=DL3008
+RUN apt-get update && apt-get install -y --no-install-recommends pip && pip install --no-cache-dir codespell==2.2.6
 
 # protoc
-RUN apt install -y --no-install-recommends unzip
+# hadolint ignore=DL3008
+RUN apt-get install -y --no-install-recommends unzip
 # I have researched https://github.com/bufbuild/protovalidate/ which claims itself as the successor of protoc-gen-validate.
 # Currently (2023 year), this project looks experimental and it has lots of break change compared with protoc-gen-validate.
 # So we still stick on the protoc-gen-validate.
 RUN VER=1.0.2 && \
-    ARCH=$(dpkg --print-architecture) && \
     set -ex && \
     git clone https://github.com/bufbuild/protoc-gen-validate -b v${VER} --depth 1 /go/src/protoc-gen-validate
 # Break down the git clone & wget so that we can cache git repo early
@@ -67,7 +68,7 @@ RUN VER=24.4 && \
     go install google.golang.org/protobuf/cmd/protoc-gen-go@v1.31.0
 
 # clang-format
-RUN pip install clang-format==17.0.6
+RUN pip install --no-cache-dir clang-format==17.0.6
 
 # autocorrect
 RUN VER=2.11.1 && \