name: Docker Lint

on:
  pull_request:
    paths:
      - 'Containers/**'
  push:
    branches:
      - main
    paths:
      - 'Containers/**'

permissions:
  contents: read

concurrency: 
  group: docker-lint-${{ github.head_ref || github.run_id }}
  cancel-in-progress: true

jobs:
  docker-lint:
    runs-on: ubuntu-latest

    name: docker-lint

    steps:
      - name: Checkout
        uses: actions/checkout@v4

      - name: Install hadolint
        run: |
          sudo wget https://github.com/hadolint/hadolint/releases/latest/download/hadolint-Linux-x86_64 -O /usr/bin/hadolint
          sudo chmod +x /usr/bin/hadolint

      - name: run lint
        run: |
          DOCKERFILES="$(find ./Containers -name Dockerfile)"
          mapfile -t DOCKERFILES <<< "$DOCKERFILES"
          for file in "${DOCKERFILES[@]}"; do
            # DL3018 warning: Pin versions in apk add. Instead of `apk add <package>` use `apk add <package>=<version>`
            # DL4006 warning: Set the SHELL option -o pipefail before RUN with a pipe in it. If you are using /bin/sh in an alpine image or if your shell is symlinked to busybox then consider explicitly setting your SHELL to /bin/ash, or disable this check
            hadolint "$file" --ignore DL3018 --ignore DL4006 | tee -a ./hadolint.log
          done
          if grep -q "DL[0-9]\+\|SC[0-9]\+" ./hadolint.log; then
            exit 1
          fi