name: Docker Linter

on:
  workflow_call:

permissions:
  contents: read

jobs:
  lint-docker:
    name: Lint Dockerfile
    runs-on: ubuntu-latest
    permissions:
      contents: read
      security-events: write
    steps:
      - name: Checkout code
        uses: actions/checkout@v4

      - name: Run hadolint (produce SARIF)
        id: hadolint
        continue-on-error: true
        uses: hadolint/hadolint-action@2332a7b74a6de0dda2e2221d575162eba76ba5e5
        with:
          dockerfile: ./Dockerfile
          format: sarif
          output-file: hadolint-results.sarif
          failure-threshold: warning

      - name: Upload analysis results to GitHub
        if: always()
        uses: github/codeql-action/upload-sarif@v4
        with:
          sarif_file: hadolint-results.sarif
          wait-for-processing: true
          category: hadolint

      - name: Fail if SARIF contains warnings or errors
        if: always()
        run: python3 src/pkgmgr/github/check_hadolint_sarif.py hadolint-results.sarif