diff --git a/.github/hadolint.yml b/.github/hadolint.yml new file mode 100644 index 00000000..58c68454 --- /dev/null +++ b/.github/hadolint.yml @@ -0,0 +1,3 @@ +--- +trustedRegistries: + - docker.io diff --git a/.github/workflows/build-images.yml b/.github/workflows/build-images.yml index 74dcf798..13be12f0 100644 --- a/.github/workflows/build-images.yml +++ b/.github/workflows/build-images.yml @@ -21,6 +21,12 @@ jobs: - name: Checkout uses: actions/checkout@v3 + - name: Lint Dockerfile + uses: hadolint/hadolint-action@v3.1.0 + with: + dockerfile: ${{ matrix.distribution }}/Dockerfile + config: ".github/hadolint.yml" + - name: Set up Docker Buildx uses: docker/setup-buildx-action@v2 diff --git a/alpine/Dockerfile b/alpine/Dockerfile index efa6d4bd..4c3545cb 100644 --- a/alpine/Dockerfile +++ b/alpine/Dockerfile @@ -36,7 +36,11 @@ LABEL org.opencontainers.image.created=$BUILD_DATE \ org.opencontainers.image.source="https://github.com/openhab/openhab-docker.git" \ org.opencontainers.image.authors="openHAB " -# Install basepackages +# https://github.com/hadolint/hadolint/wiki/DL4006 +SHELL ["/bin/ash", "-eo", "pipefail", "-c"] + +# Install basepackages. Versions are "pinned" by using a pinned base image. +# hadolint ignore=DL3018 RUN apk update --no-cache && \ apk add --no-cache \ arping \ @@ -60,11 +64,13 @@ RUN apk update --no-cache && \ rm -rf /var/cache/apk/* # Limit JDK crypto policy by default to comply with local laws which may prohibit use of unlimited strength cryptography -RUN JAVA_HOME=$(ls -d /usr/lib/jvm/*jdk*) && \ +RUN JAVA_HOME=$(find /usr/lib/jvm -maxdepth 1 -name "*jdk*" -type d) && \ sed -i 's/^crypto.policy=unlimited/crypto.policy=limited/' "${JAVA_HOME}/conf/security/java.security" # Install openHAB # Set permissions for openHAB. Export TERM variable. See issue #30 for details! +# Single quotes are used on purpose, so $TERM is expanded when running the container. +# hadolint ignore=SC2016 RUN version="$(echo $OPENHAB_VERSION | sed 's/snapshot/SNAPSHOT/g')" && \ if [ $(echo $version | grep -E '^.+\.(M|RC).+$') ]; then url="https://openhab.jfrog.io/openhab/libs-milestone-local/org/openhab/distro/openhab/${version}/openhab-${version}.zip"; \ elif [ $(echo $version | grep -E '^4\..+-SNAPSHOT$') ]; then url="https://ci.openhab.org/job/openHAB-Distribution/lastSuccessfulBuild/artifact/distributions/openhab/target/openhab-${version}.zip"; \ diff --git a/alpine/entrypoint b/alpine/entrypoint index 8b870f6b..b5e26959 100755 --- a/alpine/entrypoint +++ b/alpine/entrypoint @@ -4,7 +4,7 @@ interactive=$(if test -t 0; then echo true; else echo false; fi) set -eux -o pipefail ${EXTRA_SHELL_OPTS-} IFS=$'\n\t' -export JAVA_HOME=$(ls -d /usr/lib/jvm/*jdk*) +export JAVA_HOME=$(find /usr/lib/jvm -maxdepth 1 -name "*jdk*" -type d) # Configure Java unlimited strength cryptography if [ "${CRYPTO_POLICY}" = "unlimited" ]; then diff --git a/debian/Dockerfile b/debian/Dockerfile index dde1f54e..1ac3c3b2 100644 --- a/debian/Dockerfile +++ b/debian/Dockerfile @@ -36,7 +36,11 @@ LABEL org.opencontainers.image.created=$BUILD_DATE \ org.opencontainers.image.source="https://github.com/openhab/openhab-docker.git" \ org.opencontainers.image.authors="openHAB " -# Install basepackages +# https://github.com/hadolint/hadolint/wiki/DL4006 +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + +# Install basepackages. Versions are "pinned" by using a pinned base image. +# hadolint ignore=DL3008 RUN apt-get update && \ DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \ arping \ @@ -62,11 +66,13 @@ RUN apt-get update && \ rm -rf /var/lib/apt/lists/* # Limit JDK crypto policy by default to comply with local laws which may prohibit use of unlimited strength cryptography -RUN JAVA_HOME=$(ls -d /usr/lib/jvm/*jdk* | tail -n 1) && \ +RUN JAVA_HOME=$(find /usr/lib/jvm -maxdepth 1 -name "*jdk*" -type d) && \ sed -i 's/^crypto.policy=unlimited/crypto.policy=limited/' "${JAVA_HOME}/conf/security/java.security" # Install openHAB # Set permissions for openHAB. Export TERM variable. See issue #30 for details! +# Single quotes are used on purpose, so $TERM is expanded when running the container. +# hadolint ignore=SC2016 RUN version="$(echo $OPENHAB_VERSION | sed 's/snapshot/SNAPSHOT/g')" && \ if [ $(echo $version | grep -E '^.+\.(M|RC).+$') ]; then url="https://openhab.jfrog.io/openhab/libs-milestone-local/org/openhab/distro/openhab/${version}/openhab-${version}.zip"; \ elif [ $(echo $version | grep -E '^4\..+-SNAPSHOT$') ]; then url="https://ci.openhab.org/job/openHAB-Distribution/lastSuccessfulBuild/artifact/distributions/openhab/target/openhab-${version}.zip"; \ diff --git a/debian/entrypoint b/debian/entrypoint index 5121046d..4b93cde1 100755 --- a/debian/entrypoint +++ b/debian/entrypoint @@ -4,7 +4,7 @@ interactive=$(if test -t 0; then echo true; else echo false; fi) set -eux -o pipefail ${EXTRA_SHELL_OPTS-} IFS=$'\n\t' -export JAVA_HOME=$(ls -d /usr/lib/jvm/*jdk* | tail -n 1) +export JAVA_HOME=$(find /usr/lib/jvm -maxdepth 1 -name "*jdk*" -type d) # Configure Java unlimited strength cryptography if [ "${CRYPTO_POLICY}" = "unlimited" ]; then