From 84e52968c7523f44638f4a0342570bb84dafc0c4 Mon Sep 17 00:00:00 2001 From: Kharkunov Eugene Date: Wed, 15 Apr 2026 11:41:51 +0300 Subject: [PATCH 1/3] Added Hadolint check workflow --- .github/workflows/hadolint-check.yml | 72 ++++++++++++++++++++++++++++ 1 file changed, 72 insertions(+) create mode 100644 .github/workflows/hadolint-check.yml diff --git a/.github/workflows/hadolint-check.yml b/.github/workflows/hadolint-check.yml new file mode 100644 index 00000000..b59b8289 --- /dev/null +++ b/.github/workflows/hadolint-check.yml @@ -0,0 +1,72 @@ +name: Hadolint check + +on: + workflow_dispatch: + push: + branches: + - '*' + pull_request: + branches: + - 'dev' + paths: + - 'server/docker/Dockerfile.*' + +jobs: + discover: + runs-on: ubuntu-latest + outputs: + dockerfiles: ${{ steps.list.outputs.dockerfiles }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + with: + fetch-depth: ${{ github.event_name == 'pull_request' && 0 || 1 }} + + - name: List Dockerfiles + id: list + env: + EVENT_NAME: ${{ github.event_name }} + BASE_SHA: ${{ github.event.pull_request.base.sha }} + HEAD_SHA: ${{ github.event.pull_request.head.sha }} + run: | + if [ "$EVENT_NAME" = "pull_request" ]; then + files=$(git diff --name-only --diff-filter=d "$BASE_SHA" "$HEAD_SHA" -- 'server/docker/Dockerfile.*' \ + | jq -R -s -c 'split("\n") | map(select(length > 0))') + else + files=$(find server/docker -maxdepth 1 -type f -name 'Dockerfile.*' \ + | jq -R -s -c 'split("\n") | map(select(length > 0))') + fi + echo "dockerfiles=$files" >> "$GITHUB_OUTPUT" + + hadolint: + needs: discover + if: needs.discover.outputs.dockerfiles != '[]' + runs-on: ubuntu-latest + permissions: + security-events: write + contents: read + strategy: + fail-fast: false + matrix: + dockerfile: ${{ fromJSON(needs.discover.outputs.dockerfiles) }} + steps: + - name: Checkout repository + uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 + + - name: Derive slug + id: slug + run: echo "name=$(basename '${{ matrix.dockerfile }}' | tr '.' '-')" >> "$GITHUB_OUTPUT" + + - name: Run Hadolint + uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5 # v3.3.0 + with: + dockerfile: ${{ matrix.dockerfile }} + format: sarif + output-file: hadolint-${{ steps.slug.outputs.name }}.sarif + no-fail: true + + - name: Upload SARIF to Code Scanning + uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # 4.35.1 + with: + sarif_file: hadolint-${{ steps.slug.outputs.name }}.sarif + category: hadolint-${{ steps.slug.outputs.name }} From a2ea1ddb5e93cbff0ff12c341b43df82c585198b Mon Sep 17 00:00:00 2001 From: Kharkunov Eugene Date: Wed, 15 Apr 2026 12:15:53 +0300 Subject: [PATCH 2/3] Run code-related workflow only when code is changed --- .github/workflows/code-coverage.yml | 9 ++++++++- .github/workflows/codeql-scanning.yml | 4 ++++ .github/workflows/hadolint-check.yml | 3 --- .github/workflows/semgrep-scanning.yml | 6 ++++++ 4 files changed, 18 insertions(+), 4 deletions(-) diff --git a/.github/workflows/code-coverage.yml b/.github/workflows/code-coverage.yml index 3978c095..7298242e 100644 --- a/.github/workflows/code-coverage.yml +++ b/.github/workflows/code-coverage.yml @@ -1,9 +1,16 @@ name: Code coverage on: + push: + branches: + - 'dev' + paths: + - '**/*.java' pull_request: branches: - - dev + - 'dev' + paths: + - '**/*.java' jobs: extender: diff --git a/.github/workflows/codeql-scanning.yml b/.github/workflows/codeql-scanning.yml index c40dcdc1..84ca7fbc 100644 --- a/.github/workflows/codeql-scanning.yml +++ b/.github/workflows/codeql-scanning.yml @@ -4,9 +4,13 @@ on: push: branches: - 'dev' + paths: + - '**/*.java' pull_request: branches: - 'dev' + paths: + - '**/*.java' schedule: - cron: '0 2 * * 1' diff --git a/.github/workflows/hadolint-check.yml b/.github/workflows/hadolint-check.yml index b59b8289..28f61fd5 100644 --- a/.github/workflows/hadolint-check.yml +++ b/.github/workflows/hadolint-check.yml @@ -2,9 +2,6 @@ name: Hadolint check on: workflow_dispatch: - push: - branches: - - '*' pull_request: branches: - 'dev' diff --git a/.github/workflows/semgrep-scanning.yml b/.github/workflows/semgrep-scanning.yml index 6225a485..9517909a 100644 --- a/.github/workflows/semgrep-scanning.yml +++ b/.github/workflows/semgrep-scanning.yml @@ -4,9 +4,15 @@ on: push: branches: - 'dev' + paths: + - '**/*.java' + - '**/*.py' pull_request: branches: - 'dev' + paths: + - '**/*.java' + - '**/*.py' schedule: - cron: "0 2 * * MON" From b18d6979e45cdf4f72418d2636b19af4cad6023a Mon Sep 17 00:00:00 2001 From: Kharkunov Eugene Date: Wed, 15 Apr 2026 12:26:41 +0300 Subject: [PATCH 3/3] Review fixes --- .github/workflows/hadolint-check.yml | 2 -- 1 file changed, 2 deletions(-) diff --git a/.github/workflows/hadolint-check.yml b/.github/workflows/hadolint-check.yml index 28f61fd5..e4725a18 100644 --- a/.github/workflows/hadolint-check.yml +++ b/.github/workflows/hadolint-check.yml @@ -16,8 +16,6 @@ jobs: steps: - name: Checkout repository uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2 - with: - fetch-depth: ${{ github.event_name == 'pull_request' && 0 || 1 }} - name: List Dockerfiles id: list