feat: Add hadolint docker pre-commit hook (#2135)

.hadolint.yml

@@ -0,0 +1,8 @@
+---
+ignored:
+  - DL3003
+  - DL3008
+  - DL3013
+  - DL3015
+  - DL3027
+  - DL3047

.pre-commit-config.yaml

@@ -37,6 +37,15 @@ repos:
       - id: markdownlint-fix
         exclude: LICENSE.md
 
+  - repo: https://github.com/hadolint/hadolint
+    rev: c3dc18df7a501f02a560a2cc7ba3c69a85ca01d3 # frozen: v2.13.1-beta
+    hooks:
+      - id: hadolint-docker
+        # hadolint-docker is a special hook that runs hadolint in a Docker container
+        # Docker is not installed in the environment where pre-commit is run
+        stages: [manual]
+        entry: hadolint/hadolint:v2.12.1-beta hadolint
+
   - repo: https://github.com/codespell-project/codespell
     rev: 63c8f8312b7559622c0d82815639671ae42132ac # frozen: v2.4.1
     hooks:

docker/ci/Dockerfile

@@ -2,7 +2,14 @@ FROM rippleci/clio_clang:16
 ARG DEBIAN_FRONTEND=noninteractive
 ARG TARGETARCH
 
-SHELL ["/bin/bash", "-c"]
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+
+# Using root by default is not very secure but github checkout action doesn't work with any other user
+# https://github.com/actions/checkout/issues/956
+# And Github Actions doc recommends using root
+# https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user
+
+# hadolint ignore=DL3002
 USER root
 WORKDIR /root
 
@@ -17,7 +24,8 @@ ENV CCACHE_VERSION=4.10.2 \
 RUN apt-get -qq update \
     && apt-get -qq install -y --no-install-recommends --no-install-suggests gnupg wget curl software-properties-common \
     && echo "deb http://apt.llvm.org/focal/ llvm-toolchain-focal-${LLVM_TOOLS_VERSION} main" >> /etc/apt/sources.list \
-    && wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add -
+    && wget -O - https://apt.llvm.org/llvm-snapshot.gpg.key | apt-key add - && \
+    apt-get clean && rm -rf /var/lib/apt/lists/*
 
 # Install packages
 RUN apt update -qq \
@@ -82,10 +90,6 @@ RUN wget "https://github.com/cli/cli/releases/download/v${GH_VERSION}/gh_${GH_VE
     && rm -rf /tmp/* /var/tmp/*
 
 WORKDIR /root
-# Using root by default is not very secure but github checkout action doesn't work with any other user
-# https://github.com/actions/checkout/issues/956
-# And Github Actions doc recommends using root
-# https://docs.github.com/en/actions/sharing-automations/creating-actions/dockerfile-support-for-github-actions#user
 
 # Setup conan
 RUN conan remote add --insert 0 conan-non-prod http://18.143.149.228:8081/artifactory/api/conan/conan-non-prod

docker/compilers/clang-16/Dockerfile

@@ -3,6 +3,8 @@ ARG DEBIAN_FRONTEND=noninteractive
 ARG TARGETARCH
 
 SHELL ["/bin/bash", "-c"]
+
+# hadolint ignore=DL3002
 USER root
 WORKDIR /root
 

docker/compilers/gcc-12/Dockerfile

@@ -43,7 +43,7 @@ RUN /gcc-$GCC_VERSION/configure \
     --disable-multilib \
     --without-cuda-driver \
     --enable-checking=release \
-    && make -j`nproc` \
+    && make -j "$(nproc)" \
     && make install-strip DESTDIR=/gcc-$GCC_VERSION-$BUILD_VERSION-ubuntu-$UBUNTU_VERSION \
     && mkdir -p /gcc-$GCC_VERSION-$BUILD_VERSION-ubuntu-$UBUNTU_VERSION/usr/share/gdb/auto-load/usr/lib64 \
     && mv /gcc-$GCC_VERSION-$BUILD_VERSION-ubuntu-$UBUNTU_VERSION/usr/lib64/libstdc++.so.6.0.30-gdb.py /gcc-$GCC_VERSION-$BUILD_VERSION-ubuntu-$UBUNTU_VERSION/usr/share/gdb/auto-load/usr/lib64/libstdc++.so.6.0.30-gdb.py