# hadolint is a Dockerfile linter written in Haskell
# More details at https://github.com/hadolint/hadolint

name: Docker Linter

on:
  push:
    branches: [ "master" ]
    paths-ignore:
      - '**/*.md'
      - '**/*.gitignore'
      - '**/*.gitattributes'
  pull_request:
    branches: [ "master" ]
  workflow_dispatch:
  schedule:
    - cron: '35 11 * * 0'

permissions:
  contents: read

jobs:
  hadolint:
    name: Run hadolint scan
    runs-on: ubuntu-latest
    permissions:
      contents: read          # for actions/checkout
      security-events: write  # for github/codeql-action/upload-sarif
    steps:

      - name: Harden Runner
        uses: step-security/harden-runner@dd2c410b088af7c0dc8046f3ac9a8f4148492a95
        with:
          egress-policy: audit # TODO: change to 'egress-policy: block' after couple of runs

      - name: Checkout
        uses: actions/checkout@93ea575cb5d8a053eaa0ac8fa3b40d7e05a33cc8

      - name: Run hadolint
        uses: hadolint/hadolint-action@f988afea3da57ee48710a9795b6bb677cc901183
        with:
          dockerfile: ./Dockerfile
          format: sarif
          output-file: hadolint-results.sarif
          no-fail: true

      - name: Upload Results
        uses: github/codeql-action/upload-sarif@b398f525a5587552e573b247ac661067fafa920b
        with:
          sarif_file: hadolint-results.sarif
          wait-for-processing: true