Initial plugin source.

.github/workflows/lint.yaml

@@ -0,0 +1,35 @@
+name: Lint
+
+on: push
+
+jobs:
+
+  renovate:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+      - uses: docker://kokuwaio/renovate-config-validator
+
+  markdownlint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+      - uses: docker://kokuwaio/markdownlint
+
+  yamllint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+      - uses: docker://kokuwaio/yamllint
+
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+      - uses: docker://kokuwaio/hadolint
+
+  shellcheck:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@main
+      - uses: docker://kokuwaio/shellcheck

.hadolint.yaml

@@ -0,0 +1,7 @@
+# https://github.com/hadolint/hadolint#configure
+failure-threshold: style
+strict-labels: true
+disable-ignore-pragma: true
+ignored:
+  - DL3008  # Pin versions in apt get install. Instead of `apt-get install <package>` use `apt-get install <package>=<version>`
+trustedRegistries: [docker.io]

.justfile

@@ -0,0 +1,79 @@
+# https://just.systems/man/en/
+set fallback := true
+set unstable := true
+set script-interpreter := ["bash", "-eu"]
+
+REGISTRY_IMAGE := "docker.io/library/registry:2.8.3"
+REGISTRY_NAME := "kaniko-registry"
+REGISTRY_PORT := "5001"
+IMAGE := replace("localhost:_/hadolint", '_', REGISTRY_PORT)
+
+[private]
+@default:
+	just --list --unsorted
+
+# Run linter.
+@lint:
+	docker run --rm --read-only --volume=$(pwd):$(pwd):ro --workdir=$(pwd) kokuwaio/renovate-config-validator
+	docker run --rm --read-only --volume=$(pwd):$(pwd):ro --workdir=$(pwd) kokuwaio/shellcheck
+	docker run --rm --read-only --volume=$(pwd):$(pwd):ro --workdir=$(pwd) kokuwaio/hadolint
+	docker run --rm --read-only --volume=$(pwd):$(pwd):ro --workdir=$(pwd) kokuwaio/yamllint
+	docker run --rm --read-only --volume=$(pwd):$(pwd):rw --workdir=$(pwd) kokuwaio/markdownlint --fix
+
+# Build using local repository as cache.
+@build: registry-up
+	docker run --rm --net=host \
+		--workdir=/workspace \
+		--volume=$(pwd):/workspace:ro \
+		--entrypoint="" \
+		gcr.io/kaniko-project/executor:v1.23.2-debug \
+		/kaniko/executor \
+		--context=/workspace \
+		--destination={{IMAGE}} \
+		--reproducible
+
+# Run image against local repository.
+run: registry-up
+	docker pull {{IMAGE}} >/dev/null
+	docker run --rm --read-only --volume=$(pwd):$(pwd):ro --workdir=$(pwd) {{IMAGE}}
+
+# Print image size.
+[script]
+size: registry-up
+	docker pull {{IMAGE}} >/dev/null
+	docker pull kokuwaio/hadolint >/dev/null
+	docker pull hadolint/hadolint >/dev/null
+	docker pull pipelinecomponents/hadolint >/dev/null
+	printf "| Image                         | Uncompressed |  Compressed  |\n"
+	printf "| ----------------------------- |:------------:|:------------:|\n"
+	printf "| {{IMAGE}}     | %s | %s |\n"                 "$(docker image inspect {{IMAGE}}                     --format='{{{{.Size}}' | numfmt --to=si --format='%'.3f --padding=11)B" "$(docker image save {{IMAGE}}                     | gzip | wc -c | bc | numfmt --to=si --format='%'.3f --padding=11)B"
+	printf "| hadolint/hadolint           | %s | %s |\n" "$(docker image inspect hadolint/hadolint           --format='{{{{.Size}}' | numfmt --to=si --format='%'.3f --padding=11)B" "$(docker image save hadolint/hadolint           | gzip | wc -c | bc | numfmt --to=si --format='%'.3f --padding=11)B"
+	printf "| kokuwaio/hadolint           | %s | %s |\n" "$(docker image inspect kokuwaio/hadolint           --format='{{{{.Size}}' | numfmt --to=si --format='%'.3f --padding=11)B" "$(docker image save kokuwaio/hadolint           | gzip | wc -c | bc | numfmt --to=si --format='%'.3f --padding=11)B"
+	printf "| pipelinecomponents/hadolint | %s | %s |\n" "$(docker image inspect pipelinecomponents/hadolint --format='{{{{.Size}}' | numfmt --to=si --format='%'.3f --padding=11)B" "$(docker image save pipelinecomponents/hadolint | gzip | wc -c | bc | numfmt --to=si --format='%'.3f --padding=11)B"
+
+# Inspect image layers with `dive`.
+@dive: registry-up
+	docker pull {{IMAGE}} >/dev/null
+	docker run --rm -it --volume=/var/run/docker.sock:/var/run/docker.sock:ro wagoodman/dive:latest {{IMAGE}}
+
+# Build with local docker daemon.
+docker: registry-up
+	docker buildx build . --load --quiet --tag={{IMAGE}}:amd64 --platform=linux/amd64
+	docker buildx build . --load --quiet --tag={{IMAGE}}:arm64 --platform=linux/arm64
+	docker push {{IMAGE}} --all-tags --quiet
+	docker manifest rm {{IMAGE}} || true
+	docker manifest create {{IMAGE}} --insecure --amend {{IMAGE}}:amd64 --amend {{IMAGE}}:arm64
+	docker manifest inspect {{IMAGE}} --verbose
+	docker manifest push {{IMAGE}} --purge
+	docker pull {{IMAGE}}
+	docker image inspect {{IMAGE}}
+	docker run --rm --read-only --env=CI=1 --volume=$(pwd):$(pwd):ro --workdir=$(pwd) {{IMAGE}}
+
+# Start local image registry at `http://localhost:{{REGISTRY_PORT}}`.
+@registry-up:
+	docker volume create {{REGISTRY_NAME}} >/dev/null
+	docker ps --format '{{{{.Names}}' | grep {{REGISTRY_NAME}} >/dev/null || docker run --quiet --detach --volume={{REGISTRY_NAME}}:/var/lib/registry --publish={{REGISTRY_PORT}}:5000 --name={{REGISTRY_NAME}} {{REGISTRY_IMAGE}} >/dev/null
+
+# Shutdown local image registry.
+@registry-down:
+	docker rm {{REGISTRY_NAME}} --force >/dev/null 2>&1

.markdownlint.yaml

@@ -0,0 +1,9 @@
+# Default state for all rules
+default: true
+
+# MD009 - Trailing spaces
+MD009:
+  strict: true
+
+# MD013 - Line length
+MD013: false

.woodpecker/build.yaml

@@ -0,0 +1,39 @@
+when:
+  event: [manual, push, pull_request]
+  branch: main
+  path: [.woodpecker/build.yaml, .woodpecker/push.yaml, Dockerfile, Dockerfile.dockerignore, entrypoint.sh]
+
+matrix:
+  PLATFORM: [amd64, arm64]
+labels:
+  platform: linux/${PLATFORM}
+
+steps:
+
+  build:
+    image: gcr.io/kaniko-project/executor:v1.23.2-debug
+    commands: /kaniko/executor
+        --context=$CI_WORKSPACE
+        --build-arg=SHELLCHECK_VERSION
+        --destination=ci-registry.schnabel.org/kokuwaio/hadolint:$CI_PIPELINE_NUMBER-$PLATFORM
+        --reproducible
+        --cache
+        --cache-copy-layers
+        --cache-run-layers
+        --cache-repo=$DOCKER_CACHE/cache/kokuwaio/hadolint
+        --insecure-registry=$DOCKER_CACHE
+        --insecure-registry=$DOCKER_MIRROR
+        --registry-mirror=$DOCKER_MIRROR
+        --skip-default-registry-fallback
+        --label=org.opencontainers.image.title="Shellcheck Plugin"
+        --label=org.opencontainers.image.description="A Woodpecker CI plugin for hadolint to lint Dockerfiles."
+        --label=org.opencontainers.image.url=$CI_REPO_URL
+        --label=org.opencontainers.image.documentation=$CI_REPO_URL
+        --label=org.opencontainers.image.source=$CI_REPO_CLONE_URL
+        --label=org.opencontainers.image.vendor=kokuwa.io
+        --label=org.opencontainers.image.licenses=GPL-3.0-or-later
+        --label=org.opencontainers.image.version=v2.12.0
+
+  test:
+    image: ci-registry.schnabel.org/kokuwaio/hadolint:${CI_PIPELINE_NUMBER}-${PLATFORM}
+    pull: true

.woodpecker/dockerhub.yaml

@@ -0,0 +1,17 @@
+when:
+  instance: ci.schnabel.org
+  repo: kokuwaio/hadolint
+  event: push
+  branch: main
+  path: README.md
+
+steps:
+
+  metadata:
+    image: kokuwaio/dockerhub-metadata
+    settings:
+      repository: kokuwaio/hadolint
+      description-short: A Woodpecker CI plugin for hadolint to lint Dockerfiles.
+      categories: [developer-tools, integration-and-delivery]
+      username: {from_secret: DOCKERHUB_USERNAME}
+      password: {from_secret: DOCKERHUB_PASSWORD}

.woodpecker/lint.yaml

@@ -0,0 +1,31 @@
+when:
+  event: [cron, manual, push, pull_request]
+  branch: main
+  path: [.woodpecker/lint.yaml, renovate.json, "**/*.yaml", "**/*.md", "**/*.sh", "**/Dockerfile"]
+
+steps:
+
+  renovate:
+    image: kokuwaio/renovate-config-validator
+    depends_on: []
+    when: [path: [.woodpecker/lint.yaml, renovate.json]]
+
+  yaml:
+    image: kokuwaio/yamllint
+    depends_on: []
+    when: [path: [.woodpecker/lint.yaml, .yamllint.yaml, "**/*.yaml"]]
+
+  markdown:
+    image: kokuwaio/markdownlint
+    depends_on: []
+    when: [path: [.woodpecker/lint.yaml, .markdownlint.yaml, "**/*.md"]]
+
+  dockerfile:
+    image: kokuwaio/hadolint
+    depends_on: []
+    when: [path: [.woodpecker/lint.yaml, .hadolint.yaml, "**/Dockerfile"]]
+
+  shellcheck:
+    image: kokuwaio/shellcheck
+    depends_on: []
+    when: [path: [.woodpecker/lint.yaml, "**/*.sh"]]

.woodpecker/push.yaml

@@ -0,0 +1,39 @@
+when:
+  instance: ci.schnabel.org
+  repo: kokuwaio/hadolint
+  event: push
+  branch: main
+  path: [.woodpecker/build.yaml, .woodpecker/push.yaml, Dockerfile, Dockerfile.dockerignore, entrypoint.sh]
+
+depends_on: [build]
+skip_clone: true
+
+steps:
+
+  manifest:
+    image: mplatform/manifest-tool:alpine-v2.1.9
+    commands: manifest-tool push from-args
+        --platforms=linux/amd64,linux/arm64
+        --template=ci-registry.schnabel.org/kokuwaio/hadolint:$CI_PIPELINE_NUMBER-ARCH
+        --target=ci-registry.schnabel.org/kokuwaio/hadolint:$CI_PIPELINE_NUMBER
+
+  docker.io: &push
+    image: quay.io/skopeo/stable:v1.17.0
+    depends_on: [manifest]
+    commands:
+      - echo "$AUTH" > /tmp/auth.json
+      - skopeo copy --all --preserve-digests --dest-precompute-digests
+          docker://ci-registry.schnabel.org/kokuwaio/hadolint:$CI_PIPELINE_NUMBER
+          docker://$URL/kokuwaio/hadolint:v2.12.0
+      - skopeo copy --all --preserve-digests --dest-precompute-digests
+          docker://ci-registry.schnabel.org/kokuwaio/hadolint:$CI_PIPELINE_NUMBER
+          docker://$URL/kokuwaio/hadolint:latest
+    environment:
+      URL: docker.io
+      AUTH: {from_secret: DOCKER_IO_AUTH}
+
+  ghcr.io:
+    <<: *push
+    environment:
+      URL: ghcr.io
+      AUTH: {from_secret: GHCR_IO_AUTH}

.yamllint.yaml

@@ -0,0 +1,23 @@
+extends: default
+
+## see https://yamllint.readthedocs.io/en/stable/rules.html
+rules:
+
+  # no need for document start
+  document-start: disable
+
+  # line length is not important
+  line-length: disable
+
+  # reduce space from 2
+  comments:
+    min-spaces-from-content: 1
+
+  # force double quotes everywhere
+  quoted-strings:
+    quote-type: double
+    required: only-when-needed
+
+  # allow everything on keys
+  truthy:
+    check-keys: false

Dockerfile

@@ -0,0 +1,35 @@
+##
+## Download hadolint
+##
+
+FROM docker.io/library/debian:12.9-slim@sha256:40b107342c492725bc7aacbe93a49945445191ae364184a6d24fedb28172f6f7 AS build
+SHELL ["/bin/bash", "-u", "-e", "-o", "pipefail", "-c"]
+RUN --mount=type=cache,target=/var/lib/apt/lists,sharing=locked \
+	apt-get -qq update && \
+	apt-get -qq install --yes --no-install-recommends ca-certificates wget && \
+	rm -rf /etc/*- /var/lib/dpkg/*-old /var/lib/dpkg/status /var/cache/* /var/log/*
+
+# https://github.com/hadolint/hadolint/tags
+# https://github.com/hadolint/hadolint/issues/245 - Request Signed releases
+
+ARG HADOLINT_VERSION=v2.12.0
+RUN ARCH=$(dpkg --print-architecture) && \
+	[[ $ARCH == amd64 ]] && export SUFFIX=x86_64; \
+	[[ $ARCH == arm64 ]] && export SUFFIX=arm64; \
+	[[ -z ${SUFFIX:-} ]] && echo "Unknown arch: $ARCH" && exit 1; \
+	wget --no-hsts --quiet \
+		"https://github.com/hadolint/hadolint/releases/download/$HADOLINT_VERSION/hadolint-Linux-${SUFFIX}" \
+		"https://github.com/hadolint/hadolint/releases/download/$HADOLINT_VERSION/hadolint-Linux-${SUFFIX}.sha256" && \
+	sha256sum  --check --strict "hadolint-Linux-$SUFFIX.sha256" && \
+	mv "hadolint-Linux-$SUFFIX" /usr/local/bin/hadolint && \
+	rm -rf "hadolint-Linux-$SUFFIX.sha256"
+
+##
+## Final stage
+##
+
+FROM docker.io/library/bash:5.2.37@sha256:6b7a52601cb4a02a370b394858eb609e701bf221920a259ecb5a933c6d5b3d2e
+COPY --link --chown=0:0 --chmod=555 --from=build /usr/local/bin/hadolint /usr/local/bin/hadolint
+COPY --link --chown=0:0 --chmod=555 entrypoint.sh /usr/local/bin/entrypoint.sh
+ENTRYPOINT ["/usr/local/bin/bash", "/usr/local/bin/entrypoint.sh"]
+USER 1000:1000

Dockerfile.dockerignore

@@ -0,0 +1,3 @@
+.*
+
+!entrypoint.sh