👷 Add lint and buid-check workflow

[rickyheijnen]

🔍 Samenvatting

Deze PR voegt een Github Actions workflow toe om linting en build validation toe te voegen aan de repository zodat Pull Requests altijd gevalideerd kunnen worden voordat ze worden gemerged naar de main branch

📝 Beschrijving

• Voeg workflow lint.yml toe aan de Github Actions
• Voeg workflow build-check.yml toe aan de Github Actions

✅ Checklist

• Code is lokaal getest
• Tests zijn toegevoegd/aangepast
• Documentatie bijgewerkt (indien nodig)

[coderabbitai]

Caution

Review failed

The pull request is closed.

Walkthrough

Adds two new GitHub Actions workflows (build-check and code-lint), a Hadolint config file, small edits to the Dockerfile (use /bin/bash -o pipefail and apt-get), and adds a top-level concurrency block to the existing docker-publish workflow. Workflows run on ubuntu-latest and trigger mainly on pull_request to main (docker-publish triggers on push).

Changes

Cohort / File(s)	Summary of changes
CI: Build validation workflow .github/workflows/build-check.yml	New “Build Check” workflow triggered on pull_request to main; single job build-check on ubuntu-latest with permissions: contents: read; steps: actions/checkout@v4, docker/setup-buildx-action@v3, and docker/build-push-action@v6.15.0 performing a validation-only build (push: false), tagging ghcr.io/${{ github.repository }}:pr-check, with GHA cache-from/cache-to configured.
CI: Dockerfile lint workflow .github/workflows/code-lint.yml	New “Code Lint” workflow triggered on pull_request to main; job lint-dockerfile on ubuntu-latest with permissions: contents: read; steps: actions/checkout@v4 and hadolint/hadolint-action@v3.1.0 to lint ./Dockerfile using .hadolint.yaml.
CI: Concurrency control .github/workflows/docker-publish.yml	Adds top-level concurrency block: group: ${{ github.workflow }}-${{ github.ref }} and cancel-in-progress: true to prevent concurrent runs per workflow+ref.
Lint config .hadolint.yaml	Adds Hadolint configuration with an ignored list containing DL3007, DL3008, DL3013, DL3016 and inline rationale comments.
Image & packaging Dockerfile	Sets default shell for RUN to /bin/bash -o pipefail and replaces apt usages with apt-get equivalents (update, install -y --no-install-recommends, clean); adds build-essential to installed packages. No other functional changes.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

Possibly related PRs

• 👷 Add lint and buid-check workflow #5 — Modifies similar CI/workflow files and Dockerfile; strong overlap in CI changes (workflow additions/edits and Hadolint integration).

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 535586b and 6118b77.

📒 Files selected for processing (5)

• .github/workflows/build-check.yml (1 hunks)
• .github/workflows/code-lint.yml (1 hunks)
• .github/workflows/docker-publish.yml (1 hunks)
• .hadolint.yaml (1 hunks)
• Dockerfile (2 hunks)

✨ Finishing Touches

🧪 Generate unit tests

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch setup/build-check-workflow

---

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

• Review comments: Directly reply to a review comment made by CodeRabbit. Example:
  • I pushed a fix in commit <commit_id>, please review it.
  • Open a follow-up GitHub issue for this discussion.
• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.

Support

Need help? Create a ticket on our support page for assistance with any issues or questions.

CodeRabbit Commands (Invoked using PR/Issue comments)

Type @coderabbitai help to get the list of available commands.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Status, Documentation and Community

• Visit our Status Page to check the current availability of CodeRabbit.
• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 8

🧹 Nitpick comments (1)

.github/workflows/build-check.yml (1)

24-27: Nit: tags are optional when push=false.

Since this is a validation-only build, you can omit tags to avoid confusion about image availability. Harmless either way.

-          tags: ghcr.io/${{ github.repository }}:pr-check

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 839e602 and db7af7e.

📒 Files selected for processing (2)

• .github/workflows/build-check.yml (1 hunks)
• .github/workflows/code-lint.yml (1 hunks)

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/build-check.yml

10-10: label "brixion-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

.github/workflows/code-lint.yml

10-10: label "brixion-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🔇 Additional comments (1)

.github/workflows/code-lint.yml (1)

11-12: Good: minimal permissions.

contents: read is an appropriate minimal scope for linting.

[coderabbitai]

💡 Verification agent

🧩 Analysis chain

Fix runner label: add self-hosted and platform labels (and/or configure actionlint).

Same as the lint workflow: include "self-hosted" and platform labels to satisfy actionlint and improve portability.

-    runs-on: brixion-runners
+    runs-on:
+      - self-hosted
+      - linux
+      - x64
+      - brixion-runners

---

🏁 Script executed:

#!/bin/bash
set -e
echo "Listing all workflow files and their runs-on settings:"
rg -n "runs-on:" -C1 .github/workflows

Length of output: 708

---

Fix runner labels across workflows

The custom runner label should be specified as an array that includes self-hosted and platform selectors to satisfy actionlint and ensure the correct runner is picked. Update all workflows using brixion-runners:

• .github/workflows/build-check.yml (line 10)
• .github/workflows/code-lint.yml (line 10)
• .github/workflows/docker-publish.yml (line 9)

Example for build-check.yml:

-    runs-on: brixion-runners
+    runs-on:
+      - self-hosted
+      - linux
+      - x64
+      - brixion-runners

Apply the same array format in your other workflows or configure actionlint to permit single-label runners.

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	runs-on: brixion-runners
	runs-on:
	- self-hosted
	- linux
	- x64
	- brixion-runners

🧰 Tools

🪛 actionlint (1.7.7)

10-10: label "brixion-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🤖 Prompt for AI Agents

In .github/workflows/build-check.yml around line 10, the runs-on uses a single
custom label "brixion-runners"; change it to an array containing "self-hosted",
the custom label, and the platform selector (e.g.
["self-hosted","brixion-runners","linux"]) so actionlint accepts it and the
correct runner is selected — apply the same array format to
.github/workflows/code-lint.yml (line 10) and
.github/workflows/docker-publish.yml (line 9).

[coderabbitai]

🛠️ Refactor suggestion

Scope cache per-PR to reduce cross-PR cache poisoning and improve reproducibility.

Using a shared "image" scope across all PRs can cause confusing cache reuse and security concerns. Prefer scoping caches to each PR.

       - name: Build image (validation only)
         uses: docker/build-push-action@v6.15.0
         with:
           context: .
           push: false
           tags: ghcr.io/${{ github.repository }}:pr-check
-          cache-from: type=gha,scope=image
-          cache-to: type=gha,mode=max,scope=image
+          cache-from: type=gha,scope=pr-${{ github.event.pull_request.number }}
+          cache-to: type=gha,mode=max,scope=pr-${{ github.event.pull_request.number }}

📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change

	- name: Build image (validation only)
	uses: docker/build-push-action@v6.15.0
	with:
	context: .
	push: false
	tags: ghcr.io/${{ github.repository }}:pr-check
	cache-from: type=gha,scope=image
	cache-to: type=gha,mode=max,scope=image
	- name: Build image (validation only)
	uses: docker/build-push-action@v6.15.0
	with:
	context: .
	push: false
	tags: ghcr.io/${{ github.repository }}:pr-check
	cache-from: type=gha,scope=pr-${{ github.event.pull_request.number }}
	cache-to: type=gha,mode=max,scope=pr-${{ github.event.pull_request.number }}

🤖 Prompt for AI Agents

.github/workflows/build-check.yml lines 21-28: the docker build cache is using a
shared scope "image" across PRs which can cause cross-PR cache poisoning; update
the cache scope to be PR-specific (for example use the pull request number or
head ref) for both cache-from and cache-to so each PR gets an isolated cache
(e.g. scope: pr-${{ github.event.pull_request.number }} or scope: pr-${{
github.head_ref }}); ensure the same PR-specific expression is used in both
cache-from and cache-to and consider falling back to run id if the workflow runs
outside a PR.

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (3)

.github/workflows/code-lint.yml (3)

1-6: Add workflow-level concurrency to auto-cancel superseded runs.

Prevents wasting self-hosted capacity on outdated commits.

Apply:

 name: Code Lint

 on:
   pull_request:
     branches: [main]
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true

---

10-10: Include built-in self-hosted labels with your custom label for portability (and actionlint compatibility).

Explicit OS/arch improves scheduling and avoids actionlint warnings.

Apply:

-    runs-on: brixion-runners
+    runs-on:
+      - self-hosted
+      - linux
+      - x64
+      - brixion-runners

---

18-22: Harden the lint step: guard for missing Dockerfile and pin the action.

• Skip when no Dockerfile exists.
• Pin hadolint-action to a SHA.

Apply:

-      - name: Lint Dockerfile with hadolint
-        uses: hadolint/hadolint-action@v3.1.0
+      - name: Lint Dockerfile with hadolint
+        if: ${{ hashFiles('Dockerfile') != '' }}
+        uses: hadolint/hadolint-action@<commit-sha> # v3.1.0
         with:
           dockerfile: ./Dockerfile
-        
+          # optionally: failure-threshold: error

Note: The current pipeline fails due to DL3008; the inline ignore in Dockerfile (previous comment) will resolve it. Alternatively, add a .hadolint.yaml to selectively disable DL3008—ask if you’d prefer that route.

🧹 Nitpick comments (3)

Dockerfile (2)

1-1: Pin the base image by digest to prevent supply-chain drift.

Tagging by version alone is mutable. Pin to a specific digest for reproducible builds.

Apply:

-FROM ghcr.io/actions/actions-runner:v2.314.1
+FROM ghcr.io/actions/actions-runner:v2.314.1@sha256:<digest>

Replace with the image’s current sha256 from ghcr.io.

---

5-6: Strengthen shell safety: include -e and -u in the default SHELL.

Adding errexit and nounset catches failures early.

Apply:

-SHELL ["/bin/bash", "-o", "pipefail", "-c"]
+SHELL ["/bin/bash", "-euo", "pipefail", "-c"]

.github/workflows/code-lint.yml (1)

15-16: Pin GitHub Actions to commit SHAs.

Avoids supply-chain drift; keep the tag as a comment for readability.

Apply:

-      - name: Checkout code
-        uses: actions/checkout@v4
+      - name: Checkout code
+        uses: actions/checkout@<commit-sha> # v4

Replace with the immutable SHA you trust.

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between db7af7e and 4fec114.

📒 Files selected for processing (2)

• .github/workflows/code-lint.yml (1 hunks)
• Dockerfile (2 hunks)

🧰 Additional context used

🪛 GitHub Check: Lint Dockerfile

Dockerfile

[failure] 9-9:
DL3008 warning: Pin versions in apt get install. Instead of apt-get install <package> use apt-get install <package>=<version>

🪛 GitHub Actions: Code Lint

Dockerfile

[error] 9-9: Hadolint DL3008: Pin versions in apt get install. Instead of apt-get install <package> use apt-get install <package>=<version>.

🪛 actionlint (1.7.7)

.github/workflows/code-lint.yml

10-10: label "brixion-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

[coderabbitai]

Actionable comments posted: 2

♻️ Duplicate comments (2)

.github/workflows/code-lint.yml (2)

14-14: Add built-in labels alongside custom self-hosted label.

Include the standard labels so selection is explicit and actionlint-friendly.

-    runs-on: brixion-runners
+    runs-on:
+      - self-hosted
+      - linux
+      - x64
+      - brixion-runners

Do you want me to add an actionlint workflow and config to whitelist your custom label?

---

18-24: Harden: pin actions by commit SHA and guard hadolint when Dockerfile is absent.

• Pin actions to immutable SHAs to prevent supply-chain drift.
• Skip hadolint when no Dockerfile exists to avoid spurious failures.
• Consider failing on error-level findings explicitly.

       - name: Checkout code
-        uses: actions/checkout@v4
+        uses: actions/checkout@<commit-SHA> # v4

       - name: Lint Dockerfile with hadolint
-        uses: hadolint/hadolint-action@v3.1.0
+        if: ${{ hashFiles('Dockerfile') != '' }}
+        uses: hadolint/hadolint-action@<commit-SHA> # v3.1.0
         with:
           dockerfile: ./Dockerfile
           config: .hadolint.yaml
+          failure-threshold: error

Replace with the tested SHAs for each action.

🧹 Nitpick comments (1)

.hadolint.yaml (1)

3-6: Polish inline comments (typos/clarity).

Minor nits for clarity and correctness:

• Use “apt-get” (with hyphen) instead of “apt get”.
• Make comments explain why the rule is ignored, not restate the rule’s description.

-  - DL3008 # Pin versions in apt get install
+  - DL3008 # We currently don't pin all apt-get install versions in this image

📜 Review details

Configuration used: CodeRabbit UI
Review profile: CHILL
Plan: Pro

💡 Knowledge Base configuration:

• MCP integration is disabled by default for public repositories
• Jira integration is disabled by default for public repositories
• Linear integration is disabled by default for public repositories

You can enable these sources in your CodeRabbit configuration.

📥 Commits

Reviewing files that changed from the base of the PR and between 4fec114 and 535586b.

📒 Files selected for processing (4)

• .github/workflows/code-lint.yml (1 hunks)
• .github/workflows/docker-publish.yml (1 hunks)
• .hadolint.yaml (1 hunks)
• Dockerfile (2 hunks)

🚧 Files skipped from review as they are similar to previous changes (1)

• Dockerfile

🧰 Additional context used

🪛 actionlint (1.7.7)

.github/workflows/code-lint.yml

14-14: label "brixion-runners" is unknown. available labels are "windows-latest", "windows-latest-8-cores", "windows-2025", "windows-2022", "windows-2019", "ubuntu-latest", "ubuntu-latest-4-cores", "ubuntu-latest-8-cores", "ubuntu-latest-16-cores", "ubuntu-24.04", "ubuntu-24.04-arm", "ubuntu-22.04", "ubuntu-22.04-arm", "ubuntu-20.04", "macos-latest", "macos-latest-xl", "macos-latest-xlarge", "macos-latest-large", "macos-15-xlarge", "macos-15-large", "macos-15", "macos-14-xl", "macos-14-xlarge", "macos-14-large", "macos-14", "macos-13-xl", "macos-13-xlarge", "macos-13-large", "macos-13", "self-hosted", "x64", "arm", "arm64", "linux", "macos", "windows". if it is a custom label for self-hosted runner, set list of labels in actionlint.yaml config file

(runner-label)

🔇 Additional comments (2)

.github/workflows/docker-publish.yml (1)

7-9: Good addition: workflow-level concurrency to auto-cancel superseded runs.

This is the right pattern for avoiding wasted capacity on main pushes.

.github/workflows/code-lint.yml (1)

7-9: Nice: added concurrency to cancel stale runs.

This prevents unnecessary usage on rapid PR updates.