openshift · openshift-merge-robot · Apr 10, 2023 · Apr 9, 2023 · Apr 9, 2023 · Apr 10, 2023
diff --git a/.hadolint.yaml b/.hadolint.yaml
@@ -0,0 +1,7 @@
+ignored:
+  - DL3007 # Instead of latest use explicit release tag
+  - DL3018 # Instead of `apk add <package>` use `apk add <package>=<version>`
+  - DL3013 # Instead of `pip install <package>` use `pip install <package>==<version>`
+  - DL3042 # Avoid use of cache directory. Use `pip install --no-cache-dir <package>`
+  - DL3041 # Specify version with `dnf install -y <package>-<version>`
+  - DL3002 # Last USER should not be root
diff --git a/Makefile b/Makefile
@@ -116,7 +116,7 @@ etcd:
 		$(MAKE) -C etcd
 
 .PHONY: verify verify-images verify-assets
-verify: verify-images verify-assets verify-sh
+verify: verify-images verify-assets verify-sh verify-container
 
 verify-images:
 	./hack/verify_images.sh
@@ -152,6 +152,11 @@ verify-py:
 	fi
 	pylint $$(find . -type d \( -path ./_output -o -path ./vendor -o -path ./assets -o -path ./etcd/vendor \) -prune -o -name '*.py' -print)
 
+.PHONY: verify-container
+verify-container:
+	./scripts/fetch_tools.sh hadolint && \
+	./_output/bin/hadolint $$(find . -iname 'Containerfile*' -o -iname 'Dockerfile*'| grep -v "vendor\|_output")
+
 ###############################
 # post install validate       #
 ###############################

diff --git a/packaging/images/openshift-ci/Dockerfile.test-runtime b/packaging/images/openshift-ci/Dockerfile.test-runtime
@@ -1,13 +1,15 @@
 FROM registry.access.redhat.com/ubi8/ubi:latest
 USER root
-RUN echo -e '[google-cloud-sdk]\n\
-name=Google Cloud SDK\n\
-baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64\n\
-enabled=1\n\
-gpgcheck=1\n\
-repo_gpgcheck=1\n\
-gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg\n\
-      https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg' > /etc/yum.repos.d/google-cloud-sdk.repo
+RUN printf '%s\n' \
+    '[google-cloud-sdk]' \
+    'name=Google Cloud SDK' \
+    'baseurl=https://packages.cloud.google.com/yum/repos/cloud-sdk-el8-x86_64' \
+    'enabled=1' \
+    'gpgcheck=1' \
+    'repo_gpgcheck=1' \
+    'gpgkey=https://packages.cloud.google.com/yum/doc/yum-key.gpg' \
+    '      https://packages.cloud.google.com/yum/doc/rpm-package-key.gpg' > /etc/yum.repos.d/google-cloud-sdk.repo
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 RUN dnf update -y && \
     dnf install --setopt=tsflags=nodocs -y diffutils gcc git glibc-static google-cloud-sdk-365.0.1 jq make python3-devel util-linux && \
     pip3 install pygithub GitPython && \
@@ -16,9 +18,9 @@ RUN YQ_URL=https://github.com/mikefarah/yq/releases/download/v4.26.1/yq_linux_am
     YQ_HASH=9e35b817e7cdc358c1fcd8498f3872db169c3303b61645cc1faf972990f37582 ; \
     YQ_EXE=$(mktemp /tmp/yq-exe.XXXXX) ; \
     YQ_SUM=$(mktemp /tmp/yq-sum.XXXXX) ; \
-    echo -n "${YQ_HASH} -" > ${YQ_SUM} ; \
-    if ! (curl -Ls "${YQ_URL}" | tee ${YQ_EXE} | sha256sum -c ${YQ_SUM} &>/dev/null); then \
-      echo "ERROR: Expected file at ${YQ_URL} to have checksum ${YQ_HASH} but instead got $(sha256sum <${YQ_EXE} | cut -d' ' -f1)" ; \
+    echo -n "${YQ_HASH} -" > "${YQ_SUM}" ; \
+    if ! (curl -Ls "${YQ_URL}" | tee "${YQ_EXE}" | sha256sum -c "${YQ_SUM}" &>/dev/null); then \
+      echo "ERROR: Expected file at ${YQ_URL} to have checksum ${YQ_HASH} but instead got $(sha256sum <"${YQ_EXE}" | cut -d' ' -f1)" ; \
       exit 1 ; \
     fi ; \
-    chmod +x ${YQ_EXE} && mv ${YQ_EXE} /usr/bin/yq
+    chmod +x "${YQ_EXE}" && mv "${YQ_EXE}" /usr/bin/yq
diff --git a/scripts/fetch_tools.sh b/scripts/fetch_tools.sh
@@ -121,6 +121,24 @@ get_yq() {
     _install "${url}" "${checksum}" "${filename}" "yq_linux_${arch}"
 }
 
+get_hadolint() {
+    local ver="2.12.0"
+    declare -A checksums=(
+        ["x86_64"]="56de6d5e5ec427e17b74fa48d51271c7fc0d61244bf5c90e828aab8362d55010" 
+        ["aarch64"]="5798551bf19f33951881f15eb238f90aef023f11e7ec7e9f4c37961cb87c5df6")
+
+    declare -A arch_map=(
+        ["x86_64"]="x86_64" 
+        ["aarch64"]="arm64")
+
+    local arch="${arch_map[${ARCH}]}"
+    local checksum="${checksums[${ARCH}]}"
+    local filename="hadolint"
+    local url="https://github.com/hadolint/hadolint/releases/download/v${ver}/hadolint-Linux-${arch}"
+
+    _install "${url}" "${checksum}" "${filename}" "hadolint-Linux-${arch}"
+}
+
 tool_getters=$(declare -F |  cut -d' ' -f3 | grep "get_" | sed 's/get_//g')
 
 usage() {