.github/workflows/linters.yml

name: Linters

on:
  workflow_call:
  workflow_dispatch:
  pull_request:
    branches: [ 'main' ]
  push:
    branches: [ 'main' ]

env:
  HADOLINT_RESULTS_FILE: hadolint.sarif

permissions:
  contents: read

concurrency:
  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.sha }}
  cancel-in-progress: true

jobs:
  hadolint:
    name: dockerfile lint
    permissions:
      security-events: write
    runs-on: ubuntu-22.04
    steps:
    - name: "setup: checkout repo"
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: Create sarif output folder
      run: mkdir -p "${{ github.workspace }}/sarif"

    - name: "scan: ./Dockerfile hadolint scan sarif output"
      uses: hadolint/hadolint-action@v3.1.0
      with:
        dockerfile: Dockerfile
        config: .github/configs/hadolint.yaml
        format: sarif
        output-file: "${{ github.workspace }}/sarif/main-${{ env.HADOLINT_RESULTS_FILE }}"
        no-fail: false
        failure-threshold: info

    - name: "scan: .sources/Dockerfile.sources hadolint scan sarif output"
      uses: hadolint/hadolint-action@v3.1.0
      with:
        dockerfile: .sources/Dockerfile.sources
        config: .github/configs/hadolint.yaml
        format: sarif
        output-file: "${{ github.workspace }}/sarif/sources-${{ env.HADOLINT_RESULTS_FILE }}"
        no-fail: true
        failure-threshold: info

    - name: "post: Upload results to security tab"
      uses: github/codeql-action/upload-sarif@2e230e8fe0ad3a14a340ad0815ddb96d599d2aff # v3.25.8
      with:
        sarif_file: "${{ github.workspace }}/sarif"

    - name: "scan: ./Dockerfile hadolint scan tty output"
      if: always()
      uses: hadolint/hadolint-action@v3.1.0
      with:
        dockerfile: Dockerfile
        config: .github/configs/hadolint.yaml
        format: tty
        failure-threshold: warning

  shellcheck:
    name: shellcheck
    runs-on: ubuntu-22.04
    steps:
    - name: "setup: checkout repo"
      uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332 # v4.1.7

    - name: "run shellcheck scan"
      uses: ludeeus/action-shellcheck@00b27aa7cb85167568cb48a3838b75f4265f2bca # v2.0.0
      with:
        severity: warning
        format: tty
        ignore_paths: .github .sources
      env:
        SHELLCHECK_OPTS: -e SC2154