From 0c1550686a9309587d2064c29471250574f2676f Mon Sep 17 00:00:00 2001
From: very-doge-wow <95224950+very-doge-wow@users.noreply.github.com>
Date: Sun, 20 Oct 2024 11:45:30 +0200
Subject: [PATCH] ci: add hadolint Dockerfile linter (#125)

* ci: add hadolint Dockerfile linter

* fix

---------

Co-authored-by: very-doge-wow <very-doge-wow@github.com>
---
 .github/workflows/lint.yml         | 24 ++++++++++++++++++++++++
 .github/workflows/lintmarkdown.yml | 15 ---------------
 Dockerfile                         | 17 +++++++++++------
 README.md                          |  4 ++++
 renovate.json                      |  6 +++++-
 5 files changed, 44 insertions(+), 22 deletions(-)
 create mode 100644 .github/workflows/lint.yml
 delete mode 100644 .github/workflows/lintmarkdown.yml

diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml
new file mode 100644
index 0000000..948a4f1
--- /dev/null
+++ b/.github/workflows/lint.yml
@@ -0,0 +1,24 @@
+name: Lint
+on: [push]
+jobs:
+  markdownlint:
+    name: markdownlint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: lint_markdown
+        uses: docker://avtodev/markdown-lint:v1
+        with:
+          args: './*.md'
+          ignore: './test/output.md ./test/custom-template-keywords.md ./EXAMPLE_OUTPUT.md'
+  hadolint:
+    name: hadolint
+    runs-on: ubuntu-latest
+    steps:
+      - name: Check out code
+        uses: actions/checkout@v4
+      - name: hadolint
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: Dockerfile
diff --git a/.github/workflows/lintmarkdown.yml b/.github/workflows/lintmarkdown.yml
deleted file mode 100644
index e9f7721..0000000
--- a/.github/workflows/lintmarkdown.yml
+++ /dev/null
@@ -1,15 +0,0 @@
-name: Markdownlint
-on: [push]
-jobs:
-  markdownlint:
-    name: markdownlint
-    runs-on: ubuntu-latest
-    steps:
-    - name: Check out code
-      uses: actions/checkout@v4
-
-    - name: lint_markdown
-      uses: docker://avtodev/markdown-lint:v1
-      with:
-        args: './*.md'
-        ignore: './test/output.md ./test/custom-template-keywords.md ./EXAMPLE_OUTPUT.md'
diff --git a/Dockerfile b/Dockerfile
index ff05a1e..65bb8be 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -1,24 +1,29 @@
-FROM python:3.13-alpine3.20 as helper
+FROM python:3.13-alpine3.20@sha256:c38ead8bcf521573dad837d7ecfdebbc87792202e89953ba8b2b83a9c5a520b6 as helper
+
+# renovate: datasource=pypi depName=pipenv versioning=pep440
+ENV PIP_ENV_VERSION=2024.0.3
 
 USER root
 
-WORKDIR app
+WORKDIR /app
 
 COPY Pipfile Pipfile.lock ./
 
 RUN <<EOF
-pip install pipenv --upgrade
+pip install pipenv==${PIP_ENV_VERSION} --no-cache-dir --upgrade
 pipenv requirements --hash > requirements.txt
 EOF
 
-FROM python:3.13-alpine3.20
+USER 1000
+
+FROM python:3.13-alpine3.20@sha256:c38ead8bcf521573dad837d7ecfdebbc87792202e89953ba8b2b83a9c5a520b6
 
 ARG IMAGE_VERSION=latest
 ARG COMMIT_SHA=unknown
 
 USER root
 
-WORKDIR app
+WORKDIR /app
 
 COPY reader/ ./reader
 COPY writer ./writer
@@ -26,7 +31,7 @@ COPY stella.py EXAMPLE/style.css ./
 COPY --from=helper /app/requirements.txt .
 
 RUN <<EOF
-pip install --root-user-action ignore -r requirements.txt
+pip install --no-cache-dir --root-user-action ignore -r requirements.txt
 chmod +x stella.py
 ln -s /app/stella.py /usr/local/bin/stella
 EOF
diff --git a/README.md b/README.md
index cd2f5dc..fd0c079 100644
--- a/README.md
+++ b/README.md
@@ -200,6 +200,7 @@ Install linters beforehand:
 
 * [markdownlint-cli](https://github.com/igorshubovych/markdownlint-cli)
 * [ruff](https://docs.astral.sh/ruff/)
+* [hadolint](https://github.com/hadolint/hadolint)
 
 ```shell
 # Markdown Linter
@@ -212,6 +213,9 @@ markdownlint './*.md' \
 ruff check \
   --fix \
   --config "lint.extend-select=['E','F','B','Q','S','W','DJ']"  .
+
+# Dockerfile Linter
+hadolint Dockerfile
 ```
 
 ### Running Unit Tests
diff --git a/renovate.json b/renovate.json
index 76bc9be..71915d0 100644
--- a/renovate.json
+++ b/renovate.json
@@ -1,6 +1,10 @@
 {
   "$schema": "https://docs.renovatebot.com/renovate-schema.json",
-  "extends": ["schedule:daily"],
+  "extends": [
+    "base",
+    "schedule:daily",
+    "customManagers:dockerfileVersions"
+  ],
   "packageRules": [
     {
       "groupName": "All Updates",