Add hadolint to pre-commit hooks (#422)

This hardens the Dockerfile.
TraceMachina · Mar 3, 2024 · d8afd33 · d8afd33
1 parent ae0ba19
commit d8afd33
Show file tree

Hide file tree

Showing 2 changed files with 35 additions and 21 deletions.
diff --git a/deployment-examples/docker-compose/Dockerfile b/deployment-examples/docker-compose/Dockerfile
@@ -22,42 +22,53 @@ ARG ADDITIONAL_BAZEL_FLAGS=
 # needed by the user. Useful if your worker needs specific dependencies installed.
 ARG ADDITIONAL_SETUP_WORKER_CMD=
 
-
 FROM ubuntu:${OS_VERSION} AS dependencies
 ARG OS_VERSION
-RUN apt update && \
-    DEBIAN_FRONTEND=noninteractive apt install --no-install-recommends -y \
-        npm \
-        git \
-        gcc \
-        g++ \
-        ca-certificates && \
-    npm install -g @bazel/bazelisk && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+RUN apt-get update \
+    && if [ "${OS_VERSION}" = "22.04" ]; then \
+        DEBIAN_FRONTEND=noninteractive \
+        apt-get install --no-install-recommends -y \
+            npm=8.5.1~ds-1 \
+            git=1:2.34.1-1ubuntu1.10 \
+            gcc=4:11.2.0-1ubuntu1 \
+            g++=4:11.2.0-1ubuntu1 \
+            python3=3.10.6-1~22.04 \
+            ca-certificates=20230311ubuntu0.22.04.1; \
+    elif [ "${OS_VERSION}" = "20.04" ]; then \
+        DEBIAN_FRONTEND=noninteractive \
+        apt-get install --no-install-recommends -y \
+            npm=6.14.4+ds-1ubuntu2 \
+            git=1:2.25.1-1ubuntu3.11 \
+            gcc=4:9.3.0-1ubuntu2 \
+            g++=4:9.3.0-1ubuntu2 \
+            python3=3.8.2-0ubuntu2 \
+            ca-certificates=20230311ubuntu0.20.04.1; \
+    else \
+        echo "Unsupported OS version: ${OS_VERSION}" >&2; \
+        exit 1; \
+    fi \
+    && apt-get clean \
+    && rm -rf /var/lib/apt/lists/* \
+    && npm install -g @bazel/bazelisk@1.19.0
 
 # Build the binary.
 FROM dependencies AS builder
 WORKDIR /root/nativelink
-ADD . .
+COPY . .
 ARG OPT_LEVEL
 ARG ADDITIONAL_BAZEL_FLAGS
 RUN bazel build -c ${OPT_LEVEL} ${ADDITIONAL_BAZEL_FLAGS} nativelink && \
     cp ./bazel-bin/nativelink /root/nativelink-bin
 
 # Go back to a fresh ubuntu container and copy only the compiled binary.
 FROM ubuntu:${OS_VERSION} as final
+ARG OS_VERSION
 COPY --from=builder /root/nativelink-bin /usr/local/bin/nativelink
-# Install any specific dependencies needed by the user.
-# Install runtime packages.
-RUN apt-get update && \
-    DEBIAN_FRONTEND=noninteractive apt-get install --no-install-recommends -y \
-        ca-certificates && \
-    apt-get clean && \
-    rm -rf /var/lib/apt/lists/*
+
 ARG ADDITIONAL_SETUP_WORKER_CMD
-RUN bash -ueo pipefail -c "${ADDITIONAL_SETUP_WORKER_CMD}"
 
-RUN mkdir -p /root/.cache/nativelink
+RUN bash -ueo pipefail -c "${ADDITIONAL_SETUP_WORKER_CMD}" \
+    && mkdir -p /root/.cache/nativelink
+
 EXPOSE 50051/tcp 50052/tcp
 CMD ["nativelink"]
diff --git a/tools/pre-commit-hooks.nix b/tools/pre-commit-hooks.nix
@@ -78,4 +78,7 @@ in {
     entry = "${pkgs.bazel-buildtools}/bin/buildifier -lint=warn";
     types = ["bazel"];
   };
+
+  # Dockerfile
+  hadolint.enable = true;
 }