Add Dockerfile linter

.github/workflows/ci.yml

@@ -62,6 +62,15 @@ jobs:
           repo-token: ${{ secrets.GITHUB_TOKEN }}
       - name: Run Code Analysis
         run: bundle exec rails code:analysis
+      - name: Run linter on production Dockerfile
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: "Dockerfile"
+
+      - name: Run linter on dev Dockerfile
+        uses: hadolint/hadolint-action@v3.1.0
+        with:
+          dockerfile: "Dockerfile.dev"
   tests:
     name: Tests
     runs-on: ubuntu-latest

.hadolint.yml

@@ -0,0 +1,4 @@
+ignored:
+  - DL3059 # Multiple consecutive `RUN` instructions. We ignore this because we want to cache as many RUN stages as possible.
+  - DL3008 # Pin versions in apt-get install.
+  - DL3028 # Pin versions in gem install.

Dockerfile

@@ -23,15 +23,15 @@ ENV NODE_ENV=production
 FROM base AS builder
 
 RUN apt-get update -qq && \
-    apt-get install -y build-essential libssl-dev libpq-dev git libsasl2-dev libyaml-dev curl && \
+    apt-get install --no-install-recommends -y build-essential libssl-dev libpq-dev git libsasl2-dev libyaml-dev curl && \
     rm -rf /var/lib/apt/lists/*
 
 # Copy node binaries from node image.
 COPY --from=node /usr/local /usr/local
 COPY --from=node /opt /opt
 
 # Create app directory.
-RUN mkdir -p $APP_HOME
+RUN mkdir -p "${APP_HOME}"
 
 # Setup work directory.
 WORKDIR $APP_HOME
@@ -42,7 +42,7 @@ COPY --link Gemfile Gemfile.lock package.json yarn.lock .yarnrc.yml .ruby-versio
 RUN corepack enable
 RUN gem install bundler && bundle install -j 4 && yarn install --immutable && \
     bundle exec bootsnap precompile --gemfile && \
-    rm -rf ~/.bundle/ $BUNDLE_PATH/ruby/*/cache $BUNDLE_PATH/ruby/*/bundler/gems/*/.git
+    rm -rf ~/.bundle/ "${BUNDLE_PATH}"/ruby/*/cache "${BUNDLE_PATH}"/ruby/*/bundler/gems/*/.git
 
 # Copy application code
 COPY --link . .
@@ -59,10 +59,10 @@ FROM base
 # Install packages needed for deployment
 RUN apt-get update -qq && \
     apt-get install --no-install-recommends -y curl libpq-dev libvips libjemalloc2 libyaml-dev && \
-    apt-get clean
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Create app directory.
-RUN mkdir -p $APP_HOME
+RUN mkdir -p "${APP_HOME}"
 
 # Setup work directory.
 WORKDIR $APP_HOME

Dockerfile.dev

@@ -8,7 +8,7 @@ FROM node:$NODE_VERSION AS node
 FROM ruby:${RUBY_VERSION}-slim
 
 RUN apt-get update -qq && \
-    apt-get install -y build-essential libssl-dev libpq-dev vim git libsasl2-dev libyaml-dev curl && \
+    apt-get install --no-install-recommends -y build-essential libssl-dev libpq-dev vim git libsasl2-dev libyaml-dev curl && \
     rm -rf /var/lib/apt/lists/*
 
 # Copy node binaries from node image.
@@ -32,7 +32,7 @@ RUN gem install foreman bundler
 COPY --link package.json yarn.lock .yarnrc.yml ./
 
 RUN corepack enable
-RUN yarn install --immutable
+RUN yarn install --immutable && yarn cache clean
 
 COPY --link Gemfile Gemfile.lock .ruby-version ./
 RUN bundle install -j 4

README.md

@@ -134,6 +134,9 @@ With `bundle exec rails code:analysis` you can run the code analysis tool, you c
 - [Rails Best Practices](https://github.com/flyerhzm/rails_best_practices#custom-configuration) Edit `config/rails_best_practices.yml`
 - [Brakeman](https://github.com/presidentbeef/brakeman) Run `brakeman -I` to generate `config/brakeman.ignore`
 
+## More linters
+- [Hadolint](https://github.com/hadolint/hadolint) Install with `brew install hadolint` and run `hadolint Dockerfile*`. Edit `.hadolint.yml` to omit additional rules.
+
 ## Impersonation
 
 The `rails_api_base` incorporates a user impersonation feature, allowing `AdminUser`s to assume the identity of other `User`s. This feature is disabled by default.