From ca1cfe84864db1a39227046331f41d99be858f7a Mon Sep 17 00:00:00 2001
From: Austin Vazquez <austin.vazquez@docker.com>
Date: Fri, 31 Oct 2025 19:17:25 -0500
Subject: [PATCH] Add linting to docker bake for local validation

Signed-off-by: Austin Vazquez <austin.vazquez@docker.com>
---
 .github/actions/install-go/action.yml |  2 +-
 .github/workflows/ci.yml              | 37 ++++----------
 .golangci.yml                         | 10 ++--
 .yamllint.yml                         | 13 +++++
 Dockerfile                            | 74 ++++++++++++++++++++++++++-
 Makefile                              |  8 ++-
 docker-bake.hcl                       | 55 ++++++++++++++++++++
 7 files changed, 165 insertions(+), 34 deletions(-)
 create mode 100644 .yamllint.yml

diff --git a/.github/actions/install-go/action.yml b/.github/actions/install-go/action.yml
index 51ba20b..3d1fc49 100644
--- a/.github/actions/install-go/action.yml
+++ b/.github/actions/install-go/action.yml
@@ -13,4 +13,4 @@ runs:
       uses: actions/setup-go@v5
       with:
         go-version: ${{ inputs.go-version }}
-        cache: false # see actions/setup-go#368
+        cache: false  # see actions/setup-go#368
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index 671d96e..ba55d0d 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -6,36 +6,22 @@ on:
   pull_request:
     branches: ['main', 'release/**']
 
-permissions: # added using https://github.com/step-security/secure-workflows
+permissions:  # added using https://github.com/step-security/secure-workflows
   contents: read
 
 jobs:
-  #
-  # golangci-lint
-  #
   linters:
     permissions:
-      contents: read # for actions/checkout to fetch code
-      pull-requests: read # for golangci/golangci-lint-action to fetch pull requests
+      contents: read  # for actions/checkout to fetch code
+      pull-requests: read  # for golangci/golangci-lint-action to fetch pull requests
     name: Linters
-    runs-on: ${{ matrix.os }}
+    runs-on: ubuntu-latest
     timeout-minutes: 10
 
-    strategy:
-      matrix:
-        os: [ubuntu-latest, ubuntu-24.04-arm, macos-latest] # skipping windows-latest for now
-        exclude:
-          - os: ${{ github.event.repository.private && 'ubuntu-24.04-arm' || '' }}
-
-
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
-      - uses: ./.github/actions/install-go
-      - uses: golangci/golangci-lint-action@4afd733a84b1f43292c63897423277bb7f4313a9  # v8.0.0
-        with:
-          version: v2.1.5
-          skip-cache: true
-          args: --timeout=8m
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
+      - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+      - run: make validate
 
   #
   # Project checks
@@ -46,14 +32,14 @@ jobs:
     timeout-minutes: 5
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           path: src/github.com/containerd/nerdbox
           fetch-depth: 100
 
       - uses: ./src/github.com/containerd/nerdbox/.github/actions/install-go
 
-      - uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4 # v1.2.2
+      - uses: containerd/project-checks@d7751f3c375b8fe4a84c02a068184ee4c1f59bc4  # v1.2.2
         if: github.repository == 'containerd/nerdbox'
         with:
           working-directory: src/github.com/containerd/nerdbox
@@ -77,12 +63,12 @@ jobs:
         working-directory: src/github.com/containerd/nerdbox
 
     steps:
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           path: src/github.com/containerd/nerdbox
 
       # Needed for proto lookup during generation
-      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
+      - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
         with:
           repository: containerd/containerd
           path: src/github.com/containerd/containerd
@@ -106,4 +92,3 @@ jobs:
       - run: script/install-proto-tools
       - run: make proto-fmt
       - run: make check-protos check-api-descriptors
-
diff --git a/.golangci.yml b/.golangci.yml
index 8c20452..a83b0b0 100644
--- a/.golangci.yml
+++ b/.golangci.yml
@@ -1,9 +1,9 @@
 version: "2"
 linters:
   enable:
-    - copyloopvar # Checks for loop variable copies in Go 1.22+
-    - depguard # Checks for dependencies that should not be (re)introduced. See "settings" for further details.
-    - dupword # Checks for duplicate words in the source code
+    - copyloopvar  # Checks for loop variable copies in Go 1.22+
+    - depguard  # Checks for dependencies that should not be (re)introduced. See "settings" for further details.
+    - dupword  # Checks for duplicate words in the source code
     - gosec
     - misspell
     - nolintlint
@@ -39,7 +39,7 @@ linters:
     staticcheck:
       checks:
         - all
-        - -QF1008 # Excludes QF1008 from staticcheck
+        - -QF1008  # Excludes QF1008 from staticcheck
         - -ST1000
         - -ST1003
         - -ST1020
@@ -49,7 +49,7 @@ linters:
         - name: package-comments
           severity: warning
           disabled: true
-          exclude: [ "" ]
+          exclude: [""]
     nolintlint:
       allow-unused: true
   exclusions:
diff --git a/.yamllint.yml b/.yamllint.yml
new file mode 100644
index 0000000..e190c16
--- /dev/null
+++ b/.yamllint.yml
@@ -0,0 +1,13 @@
+ignore: |
+  /vendor
+
+extends: default
+
+yaml-files:
+  - '*.yaml'
+  - '*.yml'
+
+rules:
+  truthy: disable
+  line-length: disable
+  document-start: disable
diff --git a/Dockerfile b/Dockerfile
index 0d2c26c..4e19446 100644
--- a/Dockerfile
+++ b/Dockerfile
@@ -13,17 +13,24 @@
 #   limitations under the License.
 
 # -----------------------------------------------------------------------------
+# syntax=docker/dockerfile:1
 
 # Build the Linux kernel, initrd ,and containerd shim for running nerbox
 
+ARG XX_VERSION=1.6.1
 ARG GO_VERSION=1.25.1
 ARG BASE_DEBIAN_DISTRO="bookworm"
 ARG GOLANG_IMAGE="golang:${GO_VERSION}-${BASE_DEBIAN_DISTRO}"
+ARG GOLANGCI_LINT_VERSION=2.5.0
+ARG GOLANGCI_FROM_SOURCE=false
 ARG DOCKER_VERSION=28.4.0
 ARG DOCKER_IMAGE="docker:${DOCKER_VERSION}-cli"
 ARG RUST_IMAGE="rust:1.89.0-slim-${BASE_DEBIAN_DISTRO}"
 
-FROM ${GOLANG_IMAGE} AS base
+# xx is a helper for cross-compilation
+FROM --platform=$BUILDPLATFORM tonistiigi/xx:${XX_VERSION} AS xx
+
+FROM --platform=$BUILDPLATFORM ${GOLANG_IMAGE} AS base
 
 RUN echo 'Binary::apt::APT::Keep-Downloaded-Packages "true";' > /etc/apt/apt.conf.d/keep-cache
 RUN apt-get update && apt-get install --no-install-recommends -y file
@@ -221,3 +228,68 @@ COPY --from=libkrun /libkrun.so /usr/local/lib64/libkrun.so
 ENV LIBKRUN_PATH=/go/src/github.com/containerd/nerdbox/_output
 
 VOLUME /var/lib/containerd
+
+
+FROM base AS golangci-build
+WORKDIR /src
+ARG GOLANGCI_LINT_VERSION
+ADD https://github.com/golangci/golangci-lint.git#v${GOLANGCI_LINT_VERSION} .
+COPY --link --from=xx / /
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/ \
+  xx-go --wrap && \
+  go mod download
+RUN --mount=type=cache,target=/go/pkg/mod \
+    --mount=type=cache,target=/root/.cache/ \
+  xx-go --wrap && \
+  mkdir -p out && \
+  go build -o /out/golangci-lint ./cmd/golangci-lint
+
+FROM scratch AS golangci-binary-false
+FROM scratch AS golangci-binary-true
+COPY --from=golangci-build /out/golangci-lint golangci-lint
+FROM golangci-binary-${GOLANGCI_FROM_SOURCE} AS golangci-binary
+
+FROM base AS lint-base
+ENV GOFLAGS="-buildvcs=false"
+RUN <<EOT
+apt-get update
+apt-get install -y --no-install-recommends gcc libc6-dev yamllint
+rm -rf /var/lib/apt/lists/*
+EOT
+ARG GOLANGCI_LINT_VERSION
+ARG GOLANGCI_FROM_SOURCE
+COPY --link --from=golangci-binary / /usr/bin/
+RUN [ "${GOLANGCI_FROM_SOURCE}" = "true" ] && exit 0; wget -O- -nv https://raw.githubusercontent.com/golangci/golangci-lint/master/install.sh | sh -s v${GOLANGCI_LINT_VERSION}
+COPY --link --from=xx / /
+WORKDIR /go/src/github.com/containerd/nerdbox
+
+FROM lint-base AS golangci-lint
+ARG TARGETNAME
+ARG TARGETPLATFORM
+RUN --mount=target=/go/src/github.com/containerd/nerdbox \
+    --mount=target=/root/.cache,type=cache,id=lint-cache-${TARGETNAME}-${TARGETPLATFORM} \
+  xx-go --wrap && \
+  golangci-lint run -c .golangci.yml && \
+  touch /golangci-lint.done
+
+FROM lint-base AS golangci-verify-false
+RUN --mount=target=/go/src/github.com/containerd/nerdbox \
+  golangci-lint config verify && \
+  touch /golangci-verify.done
+
+FROM scratch AS golangci-verify-true
+COPY <<EOF /golangci-verify.done
+EOF
+
+FROM golangci-verify-${GOLANGCI_FROM_SOURCE} AS golangci-verify
+
+FROM lint-base AS yamllint
+RUN --mount=target=/go/src/github.com/containerd/nerdbox \
+  yamllint -c .yamllint.yml --strict . && \
+  touch /yamllint.done
+
+FROM scratch AS lint
+COPY --link --from=golangci-lint /golangci-lint.done /
+COPY --link --from=golangci-verify /golangci-verify.done /
+COPY --link --from=yamllint /yamllint.done /
diff --git a/Makefile b/Makefile
index d8aaa65..9673f8f 100644
--- a/Makefile
+++ b/Makefile
@@ -52,7 +52,7 @@ GO_STATIC_LDFLAGS := -ldflags '-extldflags "-static" $(LDFLAGS) $(EXTRA_LDFLAGS)
 MODULE_NAME=$(shell go list -m)
 API_PACKAGES=$(shell ($(GO) list ${GO_TAGS} ./... | grep /api/ ))
 
-.PHONY: clean all generate protos check-protos check-api-descriptors proto-fmt shell
+.PHONY: clean all validate lint generate protos check-protos check-api-descriptors proto-fmt shell
 
 all:
 	$(BUILDX) bake
@@ -135,6 +135,12 @@ endif
 
 FORCE:
 
+validate:
+	@$(BUILDX) bake validate
+
+lint:
+	@$(BUILDX) bake lint
+
 clean:
 	rm -rf _output
 
diff --git a/docker-bake.hcl b/docker-bake.hcl
index c05116d..27ab404 100644
--- a/docker-bake.hcl
+++ b/docker-bake.hcl
@@ -26,6 +26,10 @@ variable "GO_LDFLAGS" {
   default = ""
 }
 
+variable "GOLANGCI_LINT_MULTIPLATFORM" {
+  default = ""
+}
+
 target "_common" {
   args = {
     KERNEL_VERSION = KERNEL_VERSION
@@ -81,3 +85,54 @@ target "dev" {
   target = "dev"
   output = ["type=image,name=nerdbox-dev"]
 }
+
+group "validate" {
+  targets = ["lint", "validate-dockerfile"]
+}
+
+target "lint" {
+    name = "lint-${build.name}"
+    inherits = ["_common"]
+    output = ["type=cacheonly"]
+    target = build.target
+    args = {
+        TARGETNAME = build.name
+        GOLANGCI_FROM_SOURCE = "true"
+    }
+    platforms = (build.target == "golangci-lint") && (GOLANGCI_LINT_MULTIPLATFORM != null) ? [
+        "linux/amd64",
+        "linux/arm64",
+        "darwin/amd64",
+        "darwin/arm64",
+        // "windows/amd64",
+        // "windows/arm64",
+    ] : []
+    matrix = {
+        build = [
+            {
+                name = "default",
+                target = "golangci-lint",
+            },
+            {
+                name = "golangci-verify",
+                target = "golangci-verify",
+            },
+            {
+                name = "yaml",
+                target = "yamllint",
+            },
+        ]
+    }
+}
+
+target "validate-dockerfile" {
+    matrix = {
+        dockerfile = [
+            "Dockerfile",
+        ]
+    }
+    name = "validate-dockerfile-${md5(dockerfile)}"
+    inherits = ["_common"]
+    dockerfile = dockerfile
+    call = "check"
+}