Lint Dockerfiles

.github/workflows/docker-image-test.yml

@@ -11,6 +11,14 @@ jobs:
             - name: Checkout PR branch
               uses: actions/checkout@v2
 
+            - name: Lint Dockerfiles with Hadolint
+              run: |
+                  # Install latest Hadolint binary from GitHub (not available via apt)
+                  HADOLINT_LATEST_TAG=$(curl --silent "https://api.github.com/repos/hadolint/hadolint/releases/latest" | jq -r .tag_name)
+                  sudo curl -sLo /usr/bin/hadolint "https://github.com/hadolint/hadolint/releases/download/$HADOLINT_LATEST_TAG/hadolint-Linux-x86_64"
+                  sudo chmod +x /usr/bin/hadolint
+                  hadolint **Dockerfile
+
             - name: Set up QEMU
               uses: docker/setup-qemu-action@v1
 

dev.Dockerfile

@@ -3,24 +3,26 @@ ENV PYTHONUNBUFFERED 1
 RUN mkdir /code
 WORKDIR /code
 
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
 RUN apt-get update \
-    && apt-get install -y --no-install-recommends curl git build-essential \
+    && apt-get install -y --no-install-recommends curl=7.64.0-4+deb10u1 git=1:2.20.1-2+deb10u3 build-essential=12.6 \
     && curl -sL https://deb.nodesource.com/setup_14.x | bash - \
-    && apt-get install -y --no-install-recommends nodejs \
+    && apt-get install -y --no-install-recommends nodejs=14.16.0-1nodesource1 \
+    && rm -rf /var/lib/apt/lists/* \
     && npm install -g yarn@1 \
     && yarn config set network-timeout 300000 \
     && yarn --frozen-lockfile
 
 COPY requirements.txt /code/
 COPY requirements-dev.txt /code/
 # install dependencies but ignore any we don't need for dev environment
-RUN pip install $(grep -ivE "psycopg2" requirements.txt | cut -d'#' -f1) --compile\
-    && pip install psycopg2-binary
+RUN pip install -r requirements.txt --no-cache-dir
 
 # install dev dependencies
 RUN mkdir /code/requirements/
 COPY requirements-dev.txt /code/requirements/
-RUN pip install -r requirements-dev.txt --compile
+RUN pip install -r requirements-dev.txt --compile --no-cache-dir
 
 COPY package.json /code/
 COPY yarn.lock /code/
@@ -44,6 +46,6 @@ RUN DEBUG=1 DATABASE_URL='postgres:///' REDIS_URL='redis:///' python manage.py c
 EXPOSE 8000
 EXPOSE 8234
 RUN yarn install
-RUN cd plugins && yarn install
+RUN yarn install --cwd plugins
 ENV DEBUG 1
 CMD ["./bin/docker-dev"]

production.Dockerfile

@@ -5,24 +5,24 @@ WORKDIR /code
 
 COPY . /code/
 
-RUN apt-get update && apt-get install -y --no-install-recommends curl git build-essential \
-    && curl -sL https://deb.nodesource.com/setup_14.x  | bash - \
-    && apt-get install nodejs -y --no-install-recommends \
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+RUN apt-get update \
+    && apt-get install -y --no-install-recommends curl=7.64.0-4+deb10u1 git=1:2.20.1-2+deb10u3 build-essential=12.6 \
+    && curl -sL https://deb.nodesource.com/setup_14.x | bash - \
+    && apt-get install -y --no-install-recommends nodejs=14.16.0-1nodesource1 \
     && npm install -g yarn@1 \
     && yarn config set network-timeout 300000 \
     && yarn --frozen-lockfile \
     && yarn build \
-    && cd plugins \
-    && yarn --frozen-lockfile --ignore-optional \
-    && cd .. \
+    && yarn --cwd plugins --frozen-lockfile --ignore-optional \
     && yarn cache clean \
     && apt-get purge -y curl build-essential \
-    && rm -rf node_modules \
-    && rm -rf /var/lib/apt/lists/*
+    && rm -rf /var/lib/apt/lists/* \
+    && rm -rf node_modules
 
 # install dependencies but ignore any we don't need for dev environment
-RUN pip install $(grep -ivE "psycopg2" requirements.txt | cut -d'#' -f1) --no-cache-dir --compile\
-    && pip install psycopg2-binary --no-cache-dir --compile\
+RUN pip install -r requirements.txt --no-cache-dir --compile \
     && pip uninstall ipython-genutils pip -y
 
 RUN SECRET_KEY='unsafe secret key for collectstatic only' DATABASE_URL='postgres:///' REDIS_URL='redis:///' python manage.py collectstatic --noinput