feat(sage-monorepo): add GH workflow to link Dockerfile (Sage-Bionetw…

…orks#2573)

.github/workflows/lint-dockerfiles.yml

@@ -0,0 +1,26 @@
+name: Lint Dockerfiles
+
+on:
+  push:
+    branches:
+      - main
+      - 'agora/**'
+      - 'iatlas/**'
+      - 'openchallenges/**'
+      - 'sage-monorepo/**'
+      - 'schematic/**'
+  pull_request:
+
+jobs:
+  hadolint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+        name: Checkout
+        with:
+          fetch-depth: 1
+
+      - name: Lint Dockerfiles
+        uses: hadolint/[email protected]
+        with:
+          recursive: true

.hadolint.yaml

@@ -0,0 +1,9 @@
+ignored:
+  # Pin versions in apt-get install.
+  # Reason: Identifying the versions of apt packages is not trivial. The versions available would
+  # also differ for different base images. This decision should be re-evaluated periodically.
+  - DL3008
+  # Pin versions in apt get install.
+  # Reason: Identifying the versions of apk packages is not trivial. The versions available would
+  # also differ for different base images. This decision should be re-evaluated periodically.
+  - DL3018

apps/iatlas/data/Dockerfile

@@ -1,26 +1,33 @@
 FROM python:3.10.13
 
-RUN apt-get -y update && apt-get -y install \
-    wget && \
-    # Install the GPG key for the Postgres repo
-    wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - && \
-    # Add the repo
-    echo "deb http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list && \
-    apt-get -y update && \
-    # Install the Postgres 12 client
-    apt-get -y install postgresql-client-12 && \
-    mkdir -p /home/gitlab/sage-iatlas-data
+SHELL ["/bin/bash", "-o", "pipefail", "-c"]
 
+RUN apt-get update -qq -y && export DEBIAN_FRONTEND=noninteractive \
+  && apt-get install --no-install-recommends -qq -y \
+    wget \
+  # Install the GPG key for the Postgres repo
+  && wget --quiet -O - https://www.postgresql.org/media/keys/ACCC4CF8.asc | apt-key add - \
+  # Add the repo
+  && echo "deb http://apt.postgresql.org/pub/repos/apt/ bookworm-pgdg main" | tee /etc/apt/sources.list.d/pgdg.list \
+  && apt-get update -qq -y \
+  # Install the Postgres 12 client
+  && apt-get install --no-install-recommends -qq -y \
+    postgresql-client-12 \
+  && mkdir -p /home/gitlab/sage-iatlas-data \
+  && apt-get -y autoclean \
+  && apt-get -y autoremove \
+  && rm -rf /var/lib/apt/lists/*
+
+WORKDIR /
 COPY requirements.txt requirements.txt
 COPY src/ /src
 
-RUN pip3 install -r requirements.txt
+RUN pip install --no-cache-dir -r requirements.txt
 
-WORKDIR /
 COPY docker-entrypoint.sh ./
 RUN chmod +x docker-entrypoint.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
 # Set up the iAtlas database
-CMD python /src/build_database.py
+CMD ["python", "/src/build_database.py"]

apps/openchallenges/edam-etl/Dockerfile

@@ -6,7 +6,9 @@ WORKDIR ${APP_DIR}
 COPY src src/
 COPY pyproject.toml poetry.lock ./
 
-RUN pip install poetry \
+# Use the version of Poetry installed in the dev container.
+# See /workspaces/sage-monorepo/tools/devcontainers/sage/.devcontainer/Dockerfile
+RUN pip install --no-cache-dir poetry==1.6.1 \
   && poetry config --local virtualenvs.create false \
   && poetry install --with prod --no-root --no-interaction --no-ansi \
   && pip cache purge
@@ -17,4 +19,4 @@ RUN chmod +x docker-entrypoint.sh
 
 ENTRYPOINT ["/docker-entrypoint.sh"]
 
-CMD python "${APP_DIR}/src/main.py"
+CMD ["python", "${APP_DIR}/src/main.py"]

apps/openchallenges/vault/Dockerfile

@@ -1,6 +1,6 @@
 FROM vault:1.12.7
 
-RUN apk add curl jq
+RUN apk add --no-cache curl jq
 
 HEALTHCHECK --interval=2s --timeout=3s --retries=20 --start-period=5s \
   CMD curl --fail --silent "localhost:${SERVER_PORT}/v1/sys/health" | jq '.initialized' | grep true || exit 1

apps/schematic/api/Dockerfile

@@ -1,6 +1,6 @@
 FROM tiangolo/uwsgi-nginx-flask:python3.10
 
-# add label 
+# add label
 LABEL org.opencontainers.image.authors='Milen Nikolov <[email protected]>, Andrew Lamb <[email protected]>, Mialy DeFelice <[email protected]>, Gianna Jordan <[email protected]>, Lingling Peng <[email protected]>'
 
 # the environment variables defined here are the default
@@ -13,21 +13,21 @@ ENV PYTHONFAULTHANDLER=1 \
     PIP_DISABLE_PIP_VERSION_CHECK=on \
     PIP_DEFAULT_TIMEOUT=200 \
     POETRY_VERSION=1.3.0 \
-    APP_PARENT_DIR=/app \ 
+    APP_PARENT_DIR=/app \
     NGINX_CONFIG=/etc/nginx/conf.d \
     APP_DIR=/app/app \
     ROOT=/ \
-    UWSGI_INI=/app/uwsgi.ini \ 
+    UWSGI_INI=/app/uwsgi.ini \
     NGINX_WORKER_PROCESSES=1 \
     VERSION=$TAG
 
 # run open ssl and generate certificate
-RUN apt update \
+RUN apt-get update -qq -y && export DEBIAN_FRONTEND=noninteractive \
+    && apt-get install --no-install-recommends -qq -y \
+      openssl jq \
     && apt-get -y autoclean \
     && apt-get -y autoremove \
-    && rm -rf /var/lib/apt/lists/* \
-    && apt-get update \ 
-    && apt-get install -y openssl jq 
+    && rm -rf /var/lib/apt/lists/*
 
 # add dhparam.pem
 # dhparam.pem was used in ssl-params.conf
@@ -45,30 +45,30 @@ COPY schematic_api pyproject.toml poetry.lock /app/app/
 
 # install dependencies
 WORKDIR /app/app
-RUN pip install poetry \
+# Use the version of Poetry installed in the dev container.
+# See /workspaces/sage-monorepo/tools/devcontainers/sage/.devcontainer/Dockerfile
+RUN pip install --no-cache-dir poetry==1.6.1 \
   && poetry config --local virtualenvs.create false \
   && poetry run pip install "cython<3.0.0" \
   && poetry run pip install --no-build-isolation pyyaml==5.4.1 \
-  && poetry install --with prod --no-root --no-interaction --no-ansi
-
-# Update file permission 
-RUN mkdir /root/.synapseCache /app/app/manifests
-
-# temporary here to ensure .synapseCache is not empty
-RUN echo "This is a test file." > /root/.synapseCache/test.txt
-# temporary here until we move .synapseCache to a different path
-RUN chmod -R 777 /root /app
+  && poetry install --with prod --no-root --no-interaction --no-ansi \
+  # Update file permission
+  && mkdir /root/.synapseCache /app/app/manifests \
+  # temporary here to ensure .synapseCache is not empty
+  && echo "This is a test file." > /root/.synapseCache/test.txt \
+  # temporary here until we move .synapseCache to a different path
+  && chmod -R 777 /root /app
 
 # Modify entrypoint script to allow SSL private key and certificate to be saved
 WORKDIR ${ROOT}
-COPY ./uwsgi-nginx-entrypoint.sh ./entrypoint2.sh
-COPY ./uwsgi-nginx-entrypoint.sh ./uwsgi-nginx-entrypoint2.sh
-COPY ./save_key_certificate.py ./save_key_certificate.py
+COPY uwsgi-nginx-entrypoint.sh ./entrypoint2.sh
+COPY uwsgi-nginx-entrypoint.sh ./uwsgi-nginx-entrypoint2.sh
+COPY save_key_certificate.py ./save_key_certificate.py
 
-RUN chmod +x uwsgi-nginx-entrypoint2.sh
-RUN chmod +x entrypoint2.sh
-RUN chown -R nginx /uwsgi-nginx-entrypoint2.sh
-RUN chown -R nginx /entrypoint2.sh
+RUN chmod +x uwsgi-nginx-entrypoint2.sh \
+  && chmod +x entrypoint2.sh \
+  && chown -R nginx /uwsgi-nginx-entrypoint2.sh \
+  && chown -R nginx /entrypoint2.sh
 
 WORKDIR ${APP_DIR}