From 94812f4458fabdfb9819a10b8f8d2f5fcbd0282f Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Mon, 16 Feb 2026 12:14:34 +0200 Subject: [PATCH 01/14] Lint Dockerfiles with hadolint, ignore current warnings --- .hadolint.yaml | 19 +++++++++++++++++++ .pre-commit-config.yaml | 6 ++++++ 2 files changed, 25 insertions(+) create mode 100644 .hadolint.yaml diff --git a/.hadolint.yaml b/.hadolint.yaml new file mode 100644 index 00000000..63eefea3 --- /dev/null +++ b/.hadolint.yaml @@ -0,0 +1,19 @@ +ignored: + - DL3003 # Use WORKDIR to switch to a directory + - DL3006 # Always tag the version of an image explicitly + - DL3007 # Using latest is prone to errors + - DL3008 # Pin versions in apt-get install + - DL3013 # Pin versions in pip + - DL3015 # Avoid additional packages (--no-install-recommends) + - DL3018 # Pin versions in apk add + - DL3020 # Use COPY instead of ADD for files and folders + - DL3032 # yum clean all missing after yum command + - DL3033 # Pin versions in yum install + - DL3040 # dnf clean all missing after dnf command + - DL3041 # Pin versions in dnf install + - DL3042 # Avoid use of cache directory with pip + - DL3047 # Avoid use of wget without progress bar + - DL3059 # Multiple consecutive RUN instructions + - DL4001 # Either use Wget or Curl but not both + - DL4006 # Set the SHELL option -o pipefail before RUN with a pipe in + - SC2016 # Expressions don't expand in single quotes diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 23420d89..067722c7 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,5 +6,11 @@ repos: - id: check-json - id: check-yaml + - repo: https://github.com/AleksaC/hadolint-py + rev: v2.14.0 + hooks: + - id: hadolint + exclude: ^archive/ + ci: autoupdate_schedule: quarterly From 3e51c570cf84fbbc090d0a3be54fafae374dd2b3 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Mon, 16 Feb 2026 12:28:36 +0200 Subject: [PATCH 02/14] Fix DL3032/DL3040: yum/dnf clean all missing after yum/dnf command --- .hadolint.yaml | 2 -- manylinux2014-wheel-build/Dockerfile | 2 +- manylinux_2_28-wheel-build/Dockerfile | 2 +- 3 files changed, 2 insertions(+), 4 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index 63eefea3..ae046594 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -7,9 +7,7 @@ ignored: - DL3015 # Avoid additional packages (--no-install-recommends) - DL3018 # Pin versions in apk add - DL3020 # Use COPY instead of ADD for files and folders - - DL3032 # yum clean all missing after yum command - DL3033 # Pin versions in yum install - - DL3040 # dnf clean all missing after dnf command - DL3041 # Pin versions in dnf install - DL3042 # Avoid use of cache directory with pip - DL3047 # Avoid use of wget without progress bar diff --git a/manylinux2014-wheel-build/Dockerfile b/manylinux2014-wheel-build/Dockerfile index 70d6651a..19b82ed3 100644 --- a/manylinux2014-wheel-build/Dockerfile +++ b/manylinux2014-wheel-build/Dockerfile @@ -13,7 +13,7 @@ RUN cd $SRC && bash build_depends.sh FROM quay.io/pypa/manylinux2014_x86_64:latest COPY --from=0 /usr/local/lib /usr/local/lib COPY --from=0 /usr/local/include /usr/local/include -RUN yum install -y zlib-devel +RUN yum install -y zlib-devel && yum clean all COPY build.sh /build.sh ENV FORCE_COLOR=1 diff --git a/manylinux_2_28-wheel-build/Dockerfile b/manylinux_2_28-wheel-build/Dockerfile index 7493c8d4..0deeb37a 100644 --- a/manylinux_2_28-wheel-build/Dockerfile +++ b/manylinux_2_28-wheel-build/Dockerfile @@ -13,7 +13,7 @@ RUN cd $SRC && bash build_depends.sh FROM quay.io/pypa/manylinux_2_28_x86_64:latest COPY --from=0 /usr/local/lib /usr/local/lib COPY --from=0 /usr/local/include /usr/local/include -RUN yum install -y zlib-devel +RUN yum install -y zlib-devel && yum clean all COPY build.sh /build.sh ENV FORCE_COLOR=1 From a08ede8768dddb1cb1b4cbd43056433cca5e1ec2 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Mon, 16 Feb 2026 13:30:22 +0200 Subject: [PATCH 03/14] Fix DL3020: Use COPY instead of ADD for files and folders --- .hadolint.yaml | 1 - alpine/Dockerfile | 2 +- amazon-2-amd64/Dockerfile | 2 +- amazon-2023-amd64/Dockerfile | 2 +- arch/Dockerfile | 2 +- debian-12-bookworm-amd64/Dockerfile | 2 +- debian-12-bookworm-x86/Dockerfile | 2 +- debian-13-trixie-amd64/Dockerfile | 2 +- debian-13-trixie-x86/Dockerfile | 2 +- fedora-42-amd64/Dockerfile | 2 +- fedora-43-amd64/Dockerfile | 2 +- gentoo/Dockerfile | 2 +- ubuntu-22.04-jammy-amd64-valgrind/Dockerfile | 2 +- ubuntu-22.04-jammy-amd64/Dockerfile | 2 +- ubuntu-24.04-noble-amd64/Dockerfile | 2 +- ubuntu-24.04-noble-arm64v8/Dockerfile | 2 +- ubuntu-24.04-noble-ppc64le/Dockerfile | 2 +- ubuntu-24.04-noble-s390x/Dockerfile | 2 +- 18 files changed, 17 insertions(+), 18 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index ae046594..6d70f888 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -6,7 +6,6 @@ ignored: - DL3013 # Pin versions in pip - DL3015 # Avoid additional packages (--no-install-recommends) - DL3018 # Pin versions in apk add - - DL3020 # Use COPY instead of ADD for files and folders - DL3033 # Pin versions in yum install - DL3041 # Pin versions in dnf install - DL3042 # Avoid use of cache directory with pip diff --git a/alpine/Dockerfile b/alpine/Dockerfile index 8b6da259..64ec5dc2 100644 --- a/alpine/Dockerfile +++ b/alpine/Dockerfile @@ -35,7 +35,7 @@ RUN apk --no-cache add \ tk-dev \ zlib-dev -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_webp.sh \ && ./install_raqm.sh diff --git a/amazon-2-amd64/Dockerfile b/amazon-2-amd64/Dockerfile index 9f9d3033..c6f34d9e 100644 --- a/amazon-2-amd64/Dockerfile +++ b/amazon-2-amd64/Dockerfile @@ -35,7 +35,7 @@ ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd --uid 1001 pillow -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_imagequant.sh diff --git a/amazon-2023-amd64/Dockerfile b/amazon-2023-amd64/Dockerfile index e127bac3..6c582a2e 100644 --- a/amazon-2023-amd64/Dockerfile +++ b/amazon-2023-amd64/Dockerfile @@ -48,7 +48,7 @@ RUN bash -c "/usr/bin/python3.11 -m pip install virtualenv \ && /vpy3/bin/pip install numpy --only-binary=:all: || true \ && chown -R pillow:pillow /vpy3" -ADD depends /depends +COPY depends /depends RUN wget https://github.com/ninja-build/ninja/releases/download/v1.13.2/ninja-linux.zip \ && unzip ninja-linux.zip \ && mv ninja /usr/bin diff --git a/arch/Dockerfile b/arch/Dockerfile index 67fda4ac..42c67c30 100644 --- a/arch/Dockerfile +++ b/arch/Dockerfile @@ -36,7 +36,7 @@ RUN pacman -Sy --noconfirm \ xorg-server-xvfb \ && find /var/cache/pacman/ -type f -delete -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_imagequant.sh \ && ./install_raqm.sh diff --git a/debian-12-bookworm-amd64/Dockerfile b/debian-12-bookworm-amd64/Dockerfile index ad84b732..e604f972 100644 --- a/debian-12-bookworm-amd64/Dockerfile +++ b/debian-12-bookworm-amd64/Dockerfile @@ -77,7 +77,7 @@ RUN virtualenv -p /usr/bin/python3.11 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends && ./install_imagequant.sh && ./install_libavif.sh && ./install_raqm.sh ENV FORCE_COLOR=1 diff --git a/debian-12-bookworm-x86/Dockerfile b/debian-12-bookworm-x86/Dockerfile index 03d48aa4..3daee9f4 100644 --- a/debian-12-bookworm-x86/Dockerfile +++ b/debian-12-bookworm-x86/Dockerfile @@ -77,7 +77,7 @@ RUN virtualenv -p /usr/bin/python3.11 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends && ./install_imagequant.sh && ./install_libavif.sh && ./install_raqm.sh ENV FORCE_COLOR=1 diff --git a/debian-13-trixie-amd64/Dockerfile b/debian-13-trixie-amd64/Dockerfile index 40c8e1ce..b78ad612 100644 --- a/debian-13-trixie-amd64/Dockerfile +++ b/debian-13-trixie-amd64/Dockerfile @@ -77,7 +77,7 @@ RUN virtualenv -p /usr/bin/python3.13 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends && ./install_imagequant.sh && ./install_libavif.sh && ./install_raqm.sh ENV FORCE_COLOR=1 diff --git a/debian-13-trixie-x86/Dockerfile b/debian-13-trixie-x86/Dockerfile index 496a78ff..5e454b87 100644 --- a/debian-13-trixie-x86/Dockerfile +++ b/debian-13-trixie-x86/Dockerfile @@ -77,7 +77,7 @@ RUN virtualenv -p /usr/bin/python3.13 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends && ./install_imagequant.sh && ./install_libavif.sh && ./install_raqm.sh ENV FORCE_COLOR=1 diff --git a/fedora-42-amd64/Dockerfile b/fedora-42-amd64/Dockerfile index c069c327..2e93c37e 100644 --- a/fedora-42-amd64/Dockerfile +++ b/fedora-42-amd64/Dockerfile @@ -38,7 +38,7 @@ RUN virtualenv -p /usr/bin/python3.13 --system-site-packages /vpy3 \ && /vpy3/bin/pip install numpy --only-binary=:all: || true \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends ENV FORCE_COLOR=1 diff --git a/fedora-43-amd64/Dockerfile b/fedora-43-amd64/Dockerfile index b5c68e93..38ccab3c 100644 --- a/fedora-43-amd64/Dockerfile +++ b/fedora-43-amd64/Dockerfile @@ -38,7 +38,7 @@ RUN virtualenv -p /usr/bin/python3.14 --system-site-packages /vpy3 \ && /vpy3/bin/pip install numpy --only-binary=:all: || true \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends ENV FORCE_COLOR=1 diff --git a/gentoo/Dockerfile b/gentoo/Dockerfile index e7f052e9..0ae6de5b 100644 --- a/gentoo/Dockerfile +++ b/gentoo/Dockerfile @@ -38,7 +38,7 @@ RUN virtualenv --system-site-packages /vpy3 \ && /vpy3/bin/pip install pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends && ./install_imagequant.sh && ./install_libavif.sh && ./install_raqm.sh && ldconfig ENV FORCE_COLOR=1 diff --git a/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile b/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile index 426d4c48..b1c4e593 100644 --- a/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile +++ b/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile @@ -45,7 +45,7 @@ RUN virtualenv -p /usr/bin/python3.10-dbg --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout pytest-valgrind \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_libavif.sh \ && ./install_raqm.sh diff --git a/ubuntu-22.04-jammy-amd64/Dockerfile b/ubuntu-22.04-jammy-amd64/Dockerfile index ee2f1717..f0ba8808 100644 --- a/ubuntu-22.04-jammy-amd64/Dockerfile +++ b/ubuntu-22.04-jammy-amd64/Dockerfile @@ -52,7 +52,7 @@ RUN virtualenv -p /usr/bin/python3.10 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pyside6 pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_libavif.sh \ && ./install_raqm.sh diff --git a/ubuntu-24.04-noble-amd64/Dockerfile b/ubuntu-24.04-noble-amd64/Dockerfile index 2b31de57..5a3a6720 100644 --- a/ubuntu-24.04-noble-amd64/Dockerfile +++ b/ubuntu-24.04-noble-amd64/Dockerfile @@ -52,7 +52,7 @@ RUN virtualenv -p /usr/bin/python3.12 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pyside6 pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_raqm.sh diff --git a/ubuntu-24.04-noble-arm64v8/Dockerfile b/ubuntu-24.04-noble-arm64v8/Dockerfile index 3ea05117..092ded49 100644 --- a/ubuntu-24.04-noble-arm64v8/Dockerfile +++ b/ubuntu-24.04-noble-arm64v8/Dockerfile @@ -52,7 +52,7 @@ RUN virtualenv -p /usr/bin/python3.12 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pyside6 pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_raqm.sh diff --git a/ubuntu-24.04-noble-ppc64le/Dockerfile b/ubuntu-24.04-noble-ppc64le/Dockerfile index 8437ba00..6019d9d2 100644 --- a/ubuntu-24.04-noble-ppc64le/Dockerfile +++ b/ubuntu-24.04-noble-ppc64le/Dockerfile @@ -42,7 +42,7 @@ RUN virtualenv -p /usr/bin/python3.12 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_raqm.sh diff --git a/ubuntu-24.04-noble-s390x/Dockerfile b/ubuntu-24.04-noble-s390x/Dockerfile index 2b08e38c..05bd9079 100644 --- a/ubuntu-24.04-noble-s390x/Dockerfile +++ b/ubuntu-24.04-noble-s390x/Dockerfile @@ -40,7 +40,7 @@ RUN virtualenv -p /usr/bin/python3.12 --system-site-packages /vpy3 \ && /vpy3/bin/pip install olefile pytest pytest-cov pytest-timeout \ && chown -R pillow:pillow /vpy3 -ADD depends /depends +COPY depends /depends RUN cd /depends \ && ./install_raqm.sh \ && ./install_webp.sh From 98bc643fcae2d50dadbd4c40b07ad8506be626b6 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 18 Feb 2026 15:38:39 +0200 Subject: [PATCH 04/14] Fix DL3015: Avoid additional packages (--no-install-recommends) --- .hadolint.yaml | 1 - debian-12-bookworm-amd64/Dockerfile | 3 ++- debian-12-bookworm-x86/Dockerfile | 3 ++- debian-13-trixie-amd64/Dockerfile | 3 ++- debian-13-trixie-x86/Dockerfile | 3 ++- ubuntu-22.04-jammy-amd64-valgrind/Dockerfile | 3 ++- ubuntu-22.04-jammy-amd64/Dockerfile | 3 ++- ubuntu-24.04-noble-amd64/Dockerfile | 3 ++- ubuntu-24.04-noble-arm64v8/Dockerfile | 3 ++- ubuntu-24.04-noble-ppc64le/Dockerfile | 3 ++- ubuntu-24.04-noble-s390x/Dockerfile | 3 ++- 11 files changed, 20 insertions(+), 11 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index 6d70f888..e4ca0ab5 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -4,7 +4,6 @@ ignored: - DL3007 # Using latest is prone to errors - DL3008 # Pin versions in apt-get install - DL3013 # Pin versions in pip - - DL3015 # Avoid additional packages (--no-install-recommends) - DL3018 # Pin versions in apk add - DL3033 # Pin versions in yum install - DL3041 # Pin versions in dnf install diff --git a/debian-12-bookworm-amd64/Dockerfile b/debian-12-bookworm-amd64/Dockerfile index e604f972..9e3ee9c2 100644 --- a/debian-12-bookworm-amd64/Dockerfile +++ b/debian-12-bookworm-amd64/Dockerfile @@ -31,7 +31,8 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ # Pillow customization # -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ ghostscript \ diff --git a/debian-12-bookworm-x86/Dockerfile b/debian-12-bookworm-x86/Dockerfile index 3daee9f4..8231d402 100644 --- a/debian-12-bookworm-x86/Dockerfile +++ b/debian-12-bookworm-x86/Dockerfile @@ -31,7 +31,8 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ # Pillow customization # -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ ghostscript \ diff --git a/debian-13-trixie-amd64/Dockerfile b/debian-13-trixie-amd64/Dockerfile index b78ad612..5b2ea9b8 100644 --- a/debian-13-trixie-amd64/Dockerfile +++ b/debian-13-trixie-amd64/Dockerfile @@ -31,7 +31,8 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ # Pillow customization # -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ ghostscript \ diff --git a/debian-13-trixie-x86/Dockerfile b/debian-13-trixie-x86/Dockerfile index 5e454b87..2c332542 100644 --- a/debian-13-trixie-x86/Dockerfile +++ b/debian-13-trixie-x86/Dockerfile @@ -31,7 +31,8 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ # Pillow customization # -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ ghostscript \ diff --git a/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile b/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile index b1c4e593..884e5051 100644 --- a/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile +++ b/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile @@ -1,6 +1,7 @@ FROM ubuntu:jammy -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ ghostscript \ git \ diff --git a/ubuntu-22.04-jammy-amd64/Dockerfile b/ubuntu-22.04-jammy-amd64/Dockerfile index f0ba8808..53594aa2 100644 --- a/ubuntu-22.04-jammy-amd64/Dockerfile +++ b/ubuntu-22.04-jammy-amd64/Dockerfile @@ -1,6 +1,7 @@ FROM ubuntu:jammy -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ ghostscript \ git \ diff --git a/ubuntu-24.04-noble-amd64/Dockerfile b/ubuntu-24.04-noble-amd64/Dockerfile index 5a3a6720..3be01ed2 100644 --- a/ubuntu-24.04-noble-amd64/Dockerfile +++ b/ubuntu-24.04-noble-amd64/Dockerfile @@ -1,6 +1,7 @@ FROM ubuntu:noble -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ ghostscript \ git \ diff --git a/ubuntu-24.04-noble-arm64v8/Dockerfile b/ubuntu-24.04-noble-arm64v8/Dockerfile index 092ded49..e088830b 100644 --- a/ubuntu-24.04-noble-arm64v8/Dockerfile +++ b/ubuntu-24.04-noble-arm64v8/Dockerfile @@ -1,6 +1,7 @@ FROM arm64v8/ubuntu:noble -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ ghostscript \ git \ diff --git a/ubuntu-24.04-noble-ppc64le/Dockerfile b/ubuntu-24.04-noble-ppc64le/Dockerfile index 6019d9d2..d24243c8 100644 --- a/ubuntu-24.04-noble-ppc64le/Dockerfile +++ b/ubuntu-24.04-noble-ppc64le/Dockerfile @@ -1,6 +1,7 @@ FROM ppc64le/ubuntu:noble -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ ghostscript \ git \ diff --git a/ubuntu-24.04-noble-s390x/Dockerfile b/ubuntu-24.04-noble-s390x/Dockerfile index 05bd9079..3c0bdc26 100644 --- a/ubuntu-24.04-noble-s390x/Dockerfile +++ b/ubuntu-24.04-noble-s390x/Dockerfile @@ -1,6 +1,7 @@ FROM s390x/ubuntu:noble -RUN apt-get -qq update && DEBIAN_FRONTEND=noninteractive apt-get -y install \ +RUN apt-get -qq update \ + && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ ghostscript \ git \ From c5a5982a9613dc6a870e0a686fd8d5dbb806e17f Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 18 Feb 2026 16:07:21 +0200 Subject: [PATCH 05/14] Fix DL3015: Explicit is better than implicit --- debian-12-bookworm-amd64/Dockerfile | 3 +++ debian-12-bookworm-x86/Dockerfile | 3 +++ debian-13-trixie-amd64/Dockerfile | 3 +++ debian-13-trixie-x86/Dockerfile | 3 +++ ubuntu-22.04-jammy-amd64-valgrind/Dockerfile | 2 ++ ubuntu-22.04-jammy-amd64/Dockerfile | 3 +++ ubuntu-24.04-noble-amd64/Dockerfile | 2 ++ ubuntu-24.04-noble-arm64v8/Dockerfile | 2 ++ ubuntu-24.04-noble-ppc64le/Dockerfile | 2 ++ ubuntu-24.04-noble-s390x/Dockerfile | 2 ++ 10 files changed, 25 insertions(+) diff --git a/debian-12-bookworm-amd64/Dockerfile b/debian-12-bookworm-amd64/Dockerfile index 9e3ee9c2..8ba4effa 100644 --- a/debian-12-bookworm-amd64/Dockerfile +++ b/debian-12-bookworm-amd64/Dockerfile @@ -35,6 +35,8 @@ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ + g++ \ + gcc \ ghostscript \ git \ libfreetype6-dev \ @@ -59,6 +61,7 @@ RUN apt-get -qq update \ tk8.6-dev \ virtualenv \ wget \ + xauth \ xvfb \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* diff --git a/debian-12-bookworm-x86/Dockerfile b/debian-12-bookworm-x86/Dockerfile index 8231d402..08e2b00c 100644 --- a/debian-12-bookworm-x86/Dockerfile +++ b/debian-12-bookworm-x86/Dockerfile @@ -35,6 +35,8 @@ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ + g++ \ + gcc \ ghostscript \ git \ libfreetype6-dev \ @@ -59,6 +61,7 @@ RUN apt-get -qq update \ tk8.6-dev \ virtualenv \ wget \ + xauth \ xvfb \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* diff --git a/debian-13-trixie-amd64/Dockerfile b/debian-13-trixie-amd64/Dockerfile index 5b2ea9b8..fb660ddb 100644 --- a/debian-13-trixie-amd64/Dockerfile +++ b/debian-13-trixie-amd64/Dockerfile @@ -35,6 +35,8 @@ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ + g++ \ + gcc \ ghostscript \ git \ libfreetype6-dev \ @@ -59,6 +61,7 @@ RUN apt-get -qq update \ tk8.6-dev \ virtualenv \ wget \ + xauth \ xvfb \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* diff --git a/debian-13-trixie-x86/Dockerfile b/debian-13-trixie-x86/Dockerfile index 2c332542..2aeb8113 100644 --- a/debian-13-trixie-x86/Dockerfile +++ b/debian-13-trixie-x86/Dockerfile @@ -35,6 +35,8 @@ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ curl \ + g++ \ + gcc \ ghostscript \ git \ libfreetype6-dev \ @@ -59,6 +61,7 @@ RUN apt-get -qq update \ tk8.6-dev \ virtualenv \ wget \ + xauth \ xvfb \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* diff --git a/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile b/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile index 884e5051..d573a67e 100644 --- a/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile +++ b/ubuntu-22.04-jammy-amd64-valgrind/Dockerfile @@ -3,6 +3,8 @@ FROM ubuntu:jammy RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ + g++ \ + gcc \ ghostscript \ git \ libfreetype6-dev \ diff --git a/ubuntu-22.04-jammy-amd64/Dockerfile b/ubuntu-22.04-jammy-amd64/Dockerfile index 53594aa2..cc38ecd5 100644 --- a/ubuntu-22.04-jammy-amd64/Dockerfile +++ b/ubuntu-22.04-jammy-amd64/Dockerfile @@ -3,6 +3,8 @@ FROM ubuntu:jammy RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ + g++ \ + gcc \ ghostscript \ git \ libegl-dev \ @@ -23,6 +25,7 @@ RUN apt-get -qq update \ libxcb-keysyms1 \ libxcb-randr0 \ libxcb-render-util0 \ + libxcb-shape0 \ libxkbcommon-x11-0 \ meson \ nasm \ diff --git a/ubuntu-24.04-noble-amd64/Dockerfile b/ubuntu-24.04-noble-amd64/Dockerfile index 3be01ed2..31bfc27e 100644 --- a/ubuntu-24.04-noble-amd64/Dockerfile +++ b/ubuntu-24.04-noble-amd64/Dockerfile @@ -3,6 +3,8 @@ FROM ubuntu:noble RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ + g++ \ + gcc \ ghostscript \ git \ libavif-dev \ diff --git a/ubuntu-24.04-noble-arm64v8/Dockerfile b/ubuntu-24.04-noble-arm64v8/Dockerfile index e088830b..d5c1b7dd 100644 --- a/ubuntu-24.04-noble-arm64v8/Dockerfile +++ b/ubuntu-24.04-noble-arm64v8/Dockerfile @@ -3,6 +3,8 @@ FROM arm64v8/ubuntu:noble RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ + g++ \ + gcc \ ghostscript \ git \ libavif-dev \ diff --git a/ubuntu-24.04-noble-ppc64le/Dockerfile b/ubuntu-24.04-noble-ppc64le/Dockerfile index d24243c8..a42984e2 100644 --- a/ubuntu-24.04-noble-ppc64le/Dockerfile +++ b/ubuntu-24.04-noble-ppc64le/Dockerfile @@ -3,6 +3,8 @@ FROM ppc64le/ubuntu:noble RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ + g++ \ + gcc \ ghostscript \ git \ libavif-dev \ diff --git a/ubuntu-24.04-noble-s390x/Dockerfile b/ubuntu-24.04-noble-s390x/Dockerfile index 3c0bdc26..a68d623f 100644 --- a/ubuntu-24.04-noble-s390x/Dockerfile +++ b/ubuntu-24.04-noble-s390x/Dockerfile @@ -3,6 +3,8 @@ FROM s390x/ubuntu:noble RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ + g++ \ + gcc \ ghostscript \ git \ libavif-dev \ From a5be7830f5ece485fb2d4141bd5b018f40ee78f7 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 18 Feb 2026 16:11:37 +0200 Subject: [PATCH 06/14] Fix DL3042: Avoid use of cache directory with pip --- .hadolint.yaml | 1 - amazon-2-amd64/Dockerfile | 2 +- 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index e4ca0ab5..a4ca0940 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -7,7 +7,6 @@ ignored: - DL3018 # Pin versions in apk add - DL3033 # Pin versions in yum install - DL3041 # Pin versions in dnf install - - DL3042 # Avoid use of cache directory with pip - DL3047 # Avoid use of wget without progress bar - DL3059 # Multiple consecutive RUN instructions - DL4001 # Either use Wget or Curl but not both diff --git a/amazon-2-amd64/Dockerfile b/amazon-2-amd64/Dockerfile index c6f34d9e..325f45d4 100644 --- a/amazon-2-amd64/Dockerfile +++ b/amazon-2-amd64/Dockerfile @@ -64,7 +64,7 @@ RUN bash -c "python3.10 -m pip install virtualenv \ RUN wget https://github.com/ninja-build/ninja/releases/download/v1.13.2/ninja-linux.zip \ && unzip ninja-linux.zip \ && mv ninja /usr/bin -RUN python3.10 -m pip install meson +RUN python3.10 -m pip install --no-cache-dir meson RUN ln -s /usr/local/bin/python3.10 /usr/bin/python3 RUN cd /depends \ && ./install_openjpeg.sh \ From 56abaf46ec81644248d7842e34d4762ff36691d6 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 18 Feb 2026 20:40:51 +0200 Subject: [PATCH 07/14] Fix DL4006: Set the SHELL option -o pipefail before RUN with a pipe in --- .hadolint.yaml | 1 - amazon-2-amd64/Dockerfile | 1 + amazon-2023-amd64/Dockerfile | 1 + debian-12-bookworm-amd64/Dockerfile | 1 + debian-12-bookworm-x86/Dockerfile | 1 + debian-13-trixie-amd64/Dockerfile | 1 + debian-13-trixie-x86/Dockerfile | 1 + gentoo/Dockerfile | 2 ++ 8 files changed, 8 insertions(+), 1 deletion(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index a4ca0940..9e41cbed 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -10,5 +10,4 @@ ignored: - DL3047 # Avoid use of wget without progress bar - DL3059 # Multiple consecutive RUN instructions - DL4001 # Either use Wget or Curl but not both - - DL4006 # Set the SHELL option -o pipefail before RUN with a pipe in - SC2016 # Expressions don't expand in single quotes diff --git a/amazon-2-amd64/Dockerfile b/amazon-2-amd64/Dockerfile index 325f45d4..103cd46c 100644 --- a/amazon-2-amd64/Dockerfile +++ b/amazon-2-amd64/Dockerfile @@ -30,6 +30,7 @@ RUN yum install -y \ zlib-devel \ && yum clean all +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/amazon-2023-amd64/Dockerfile b/amazon-2023-amd64/Dockerfile index 6c582a2e..f6e8a486 100644 --- a/amazon-2023-amd64/Dockerfile +++ b/amazon-2023-amd64/Dockerfile @@ -33,6 +33,7 @@ RUN yum install -y \ zlib-devel \ && yum clean all +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/debian-12-bookworm-amd64/Dockerfile b/debian-12-bookworm-amd64/Dockerfile index 8ba4effa..ccb7b2f8 100644 --- a/debian-12-bookworm-amd64/Dockerfile +++ b/debian-12-bookworm-amd64/Dockerfile @@ -66,6 +66,7 @@ RUN apt-get -qq update \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/debian-12-bookworm-x86/Dockerfile b/debian-12-bookworm-x86/Dockerfile index 08e2b00c..0c61f8b8 100644 --- a/debian-12-bookworm-x86/Dockerfile +++ b/debian-12-bookworm-x86/Dockerfile @@ -66,6 +66,7 @@ RUN apt-get -qq update \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-host=i686-unknown-linux-gnu ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/debian-13-trixie-amd64/Dockerfile b/debian-13-trixie-amd64/Dockerfile index fb660ddb..c2a7cc74 100644 --- a/debian-13-trixie-amd64/Dockerfile +++ b/debian-13-trixie-amd64/Dockerfile @@ -66,6 +66,7 @@ RUN apt-get -qq update \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/debian-13-trixie-x86/Dockerfile b/debian-13-trixie-x86/Dockerfile index 2aeb8113..45d41797 100644 --- a/debian-13-trixie-x86/Dockerfile +++ b/debian-13-trixie-x86/Dockerfile @@ -66,6 +66,7 @@ RUN apt-get -qq update \ zlib1g-dev \ && rm -rf /var/lib/apt/lists/* +SHELL ["/bin/bash", "-o", "pipefail", "-c"] RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-host=i686-unknown-linux-gnu ENV PATH="/root/.cargo/bin:${PATH}" diff --git a/gentoo/Dockerfile b/gentoo/Dockerfile index 0ae6de5b..7f1197eb 100644 --- a/gentoo/Dockerfile +++ b/gentoo/Dockerfile @@ -1,5 +1,7 @@ FROM gentoo/stage3:desktop +SHELL ["/bin/bash", "-o", "pipefail", "-c"] + # Disable bits which don't work within Docker. RUN echo 'FEATURES="-ipc-sandbox -pid-sandbox -network-sandbox -usersandbox -mount-sandbox -sandbox"' | cat >> /etc/portage/make.conf # Speed things up a bit. From adbe1d214cf0ccff3f000c6d704ce717168ecc9a Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 18 Feb 2026 21:25:11 +0200 Subject: [PATCH 08/14] Fix DL4001: Either use Wget or Curl but not both --- .hadolint.yaml | 1 - amazon-2-amd64/Dockerfile | 3 +-- amazon-2023-amd64/Dockerfile | 2 +- centos-stream-9-amd64/Dockerfile | 2 +- debian-12-bookworm-amd64/Dockerfile | 3 +-- debian-12-bookworm-x86/Dockerfile | 3 +-- debian-13-trixie-amd64/Dockerfile | 3 +-- debian-13-trixie-x86/Dockerfile | 3 +-- 8 files changed, 7 insertions(+), 13 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index 9e41cbed..ac2a67d6 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -9,5 +9,4 @@ ignored: - DL3041 # Pin versions in dnf install - DL3047 # Avoid use of wget without progress bar - DL3059 # Multiple consecutive RUN instructions - - DL4001 # Either use Wget or Curl but not both - SC2016 # Expressions don't expand in single quotes diff --git a/amazon-2-amd64/Dockerfile b/amazon-2-amd64/Dockerfile index 103cd46c..f872437c 100644 --- a/amazon-2-amd64/Dockerfile +++ b/amazon-2-amd64/Dockerfile @@ -2,7 +2,6 @@ FROM amazonlinux:2 RUN yum install -y \ cmake \ - curl \ findutils \ fribidi-devel \ gcc \ @@ -31,7 +30,7 @@ RUN yum install -y \ && yum clean all SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +RUN wget -qO- https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd --uid 1001 pillow diff --git a/amazon-2023-amd64/Dockerfile b/amazon-2023-amd64/Dockerfile index f6e8a486..7b49c64b 100644 --- a/amazon-2023-amd64/Dockerfile +++ b/amazon-2023-amd64/Dockerfile @@ -34,7 +34,7 @@ RUN yum install -y \ && yum clean all SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +RUN wget -qO- https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd --uid 1001 pillow diff --git a/centos-stream-9-amd64/Dockerfile b/centos-stream-9-amd64/Dockerfile index 5a6ed4c6..8b120f65 100644 --- a/centos-stream-9-amd64/Dockerfile +++ b/centos-stream-9-amd64/Dockerfile @@ -34,7 +34,7 @@ RUN yum install -y \ RUN useradd --uid 1001 pillow -RUN wget https://www.python.org/ftp/python/3.10.18/Python-3.10.18.tgz \ +RUN wget --no-verbose https://www.python.org/ftp/python/3.10.18/Python-3.10.18.tgz \ && tar xzf Python-3.10.18.tgz \ && cd Python-3.10.18 \ && ./configure \ diff --git a/debian-12-bookworm-amd64/Dockerfile b/debian-12-bookworm-amd64/Dockerfile index ccb7b2f8..c9bc4a96 100644 --- a/debian-12-bookworm-amd64/Dockerfile +++ b/debian-12-bookworm-amd64/Dockerfile @@ -34,7 +34,6 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ - curl \ g++ \ gcc \ ghostscript \ @@ -67,7 +66,7 @@ RUN apt-get -qq update \ && rm -rf /var/lib/apt/lists/* SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +RUN wget -qO- https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd --uid 1001 pillow \ diff --git a/debian-12-bookworm-x86/Dockerfile b/debian-12-bookworm-x86/Dockerfile index 0c61f8b8..62715425 100644 --- a/debian-12-bookworm-x86/Dockerfile +++ b/debian-12-bookworm-x86/Dockerfile @@ -34,7 +34,6 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ - curl \ g++ \ gcc \ ghostscript \ @@ -67,7 +66,7 @@ RUN apt-get -qq update \ && rm -rf /var/lib/apt/lists/* SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-host=i686-unknown-linux-gnu +RUN wget -qO- https://sh.rustup.rs | sh -s -- -y --default-host=i686-unknown-linux-gnu ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd -u 1001 pillow \ diff --git a/debian-13-trixie-amd64/Dockerfile b/debian-13-trixie-amd64/Dockerfile index c2a7cc74..d10bbe21 100644 --- a/debian-13-trixie-amd64/Dockerfile +++ b/debian-13-trixie-amd64/Dockerfile @@ -34,7 +34,6 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ - curl \ g++ \ gcc \ ghostscript \ @@ -67,7 +66,7 @@ RUN apt-get -qq update \ && rm -rf /var/lib/apt/lists/* SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y +RUN wget -qO- https://sh.rustup.rs | sh -s -- -y ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd --uid 1001 pillow \ diff --git a/debian-13-trixie-x86/Dockerfile b/debian-13-trixie-x86/Dockerfile index 45d41797..8b2bd9ff 100644 --- a/debian-13-trixie-x86/Dockerfile +++ b/debian-13-trixie-x86/Dockerfile @@ -34,7 +34,6 @@ RUN echo '#!/bin/sh' > /usr/sbin/policy-rc.d \ RUN apt-get -qq update \ && DEBIAN_FRONTEND=noninteractive apt-get -y --no-install-recommends install \ cmake \ - curl \ g++ \ gcc \ ghostscript \ @@ -67,7 +66,7 @@ RUN apt-get -qq update \ && rm -rf /var/lib/apt/lists/* SHELL ["/bin/bash", "-o", "pipefail", "-c"] -RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-host=i686-unknown-linux-gnu +RUN wget -qO- https://sh.rustup.rs | sh -s -- -y --default-host=i686-unknown-linux-gnu ENV PATH="/root/.cargo/bin:${PATH}" RUN useradd -u 1001 pillow \ From 5b9be662fd4de400ad24415242057cbf60c60f08 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Wed, 18 Feb 2026 21:57:27 +0200 Subject: [PATCH 09/14] Fix DL3047: Avoid use of wget without progress bar --- .hadolint.yaml | 1 - amazon-2-amd64/Dockerfile | 4 ++-- amazon-2023-amd64/Dockerfile | 2 +- 3 files changed, 3 insertions(+), 4 deletions(-) diff --git a/.hadolint.yaml b/.hadolint.yaml index ac2a67d6..d8b3f1bb 100644 --- a/.hadolint.yaml +++ b/.hadolint.yaml @@ -7,6 +7,5 @@ ignored: - DL3018 # Pin versions in apk add - DL3033 # Pin versions in yum install - DL3041 # Pin versions in dnf install - - DL3047 # Avoid use of wget without progress bar - DL3059 # Multiple consecutive RUN instructions - SC2016 # Expressions don't expand in single quotes diff --git a/amazon-2-amd64/Dockerfile b/amazon-2-amd64/Dockerfile index f872437c..7c1520ea 100644 --- a/amazon-2-amd64/Dockerfile +++ b/amazon-2-amd64/Dockerfile @@ -43,7 +43,7 @@ RUN yum remove -y openssl-devel && \ yum install -y openssl11-devel && \ yum clean all -RUN wget https://www.python.org/ftp/python/3.10.18/Python-3.10.18.tgz \ +RUN wget --no-verbose https://www.python.org/ftp/python/3.10.18/Python-3.10.18.tgz \ && tar xzf Python-3.10.18.tgz \ && cd Python-3.10.18 \ && ./configure \ @@ -61,7 +61,7 @@ RUN bash -c "python3.10 -m pip install virtualenv \ && /vpy3/bin/pip install numpy --only-binary=:all: || true \ && chown -R pillow:pillow /vpy3" -RUN wget https://github.com/ninja-build/ninja/releases/download/v1.13.2/ninja-linux.zip \ +RUN wget --no-verbose https://github.com/ninja-build/ninja/releases/download/v1.13.2/ninja-linux.zip \ && unzip ninja-linux.zip \ && mv ninja /usr/bin RUN python3.10 -m pip install --no-cache-dir meson diff --git a/amazon-2023-amd64/Dockerfile b/amazon-2023-amd64/Dockerfile index 7b49c64b..caac86f3 100644 --- a/amazon-2023-amd64/Dockerfile +++ b/amazon-2023-amd64/Dockerfile @@ -50,7 +50,7 @@ RUN bash -c "/usr/bin/python3.11 -m pip install virtualenv \ && chown -R pillow:pillow /vpy3" COPY depends /depends -RUN wget https://github.com/ninja-build/ninja/releases/download/v1.13.2/ninja-linux.zip \ +RUN wget --no-verbose https://github.com/ninja-build/ninja/releases/download/v1.13.2/ninja-linux.zip \ && unzip ninja-linux.zip \ && mv ninja /usr/bin RUN /usr/bin/python3.11 -m pip install meson From 22539378998d6532238966deea2f9a83c4344c7e Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Fri, 16 Jan 2026 14:57:49 +0200 Subject: [PATCH 10/14] Add zizmor to pre-commit --- .github/workflows/build.yml | 8 +++++--- .github/zizmor.yml | 6 ++++++ .pre-commit-config.yaml | 10 ++++++++++ 3 files changed, 21 insertions(+), 3 deletions(-) create mode 100644 .github/zizmor.yml diff --git a/.github/workflows/build.yml b/.github/workflows/build.yml index d23bff76..472a7cf8 100644 --- a/.github/workflows/build.yml +++ b/.github/workflows/build.yml @@ -3,6 +3,8 @@ name: Docker images on: [push, pull_request, workflow_dispatch] +permissions: {} + concurrency: group: ${{ github.workflow }}-${{ github.ref }} cancel-in-progress: true @@ -75,7 +77,7 @@ jobs: git submodule update --remote Pillow fi (cd Pillow && git checkout main) - sudo chown -R 1001 $(pwd) + sudo chown -R 1001 "$(pwd)" - name: Test Image Build if: "matrix.test-image" @@ -91,7 +93,7 @@ jobs: run: | cd "${{ matrix.image }}" && sudo chmod a+w . && make update if [[ -n "$DOCKER_USERNAME" ]]; then - echo $DOCKER_PASSWORD | docker login -u $DOCKER_USERNAME --password-stdin && echo "logged_in=true" >> $GITHUB_OUTPUT + echo "$DOCKER_PASSWORD" | docker login -u "$DOCKER_USERNAME" --password-stdin && echo "logged_in=true" >> "$GITHUB_OUTPUT" fi make build BRANCH=main env: @@ -120,7 +122,7 @@ jobs: - name: Post build if: always() - run: sudo chown -R $(id -u) $(pwd) + run: sudo chown -R "$(id -u)" "$(pwd)" success: needs: build diff --git a/.github/zizmor.yml b/.github/zizmor.yml new file mode 100644 index 00000000..10002656 --- /dev/null +++ b/.github/zizmor.yml @@ -0,0 +1,6 @@ +# https://docs.zizmor.sh/configuration/ +rules: + unpinned-uses: + config: + policies: + "*": ref-pin diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 067722c7..7cb2b7a2 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -6,11 +6,21 @@ repos: - id: check-json - id: check-yaml + - repo: https://github.com/zizmorcore/zizmor-pre-commit + rev: v1.22.0 + hooks: + - id: zizmor + - repo: https://github.com/AleksaC/hadolint-py rev: v2.14.0 hooks: - id: hadolint exclude: ^archive/ + - repo: meta + hooks: + - id: check-hooks-apply + - id: check-useless-excludes + ci: autoupdate_schedule: quarterly From e3b06e2100e3a67357e51423a705551ac46d05f3 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Fri, 16 Jan 2026 15:02:44 +0200 Subject: [PATCH 11/14] Add more pre-commit checks --- .pre-commit-config.yaml | 13 +++++++++++++ 1 file changed, 13 insertions(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 7cb2b7a2..e0881501 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -2,10 +2,23 @@ repos: - repo: https://github.com/pre-commit/pre-commit-hooks rev: v6.0.0 hooks: + - id: check-added-large-files + - id: check-case-conflict - id: check-merge-conflict - id: check-json - id: check-yaml + - repo: https://github.com/python-jsonschema/check-jsonschema + rev: 0.36.2 + hooks: + - id: check-github-workflows + - id: check-renovate + + - repo: https://github.com/rhysd/actionlint + rev: v1.7.11 + hooks: + - id: actionlint + - repo: https://github.com/zizmorcore/zizmor-pre-commit rev: v1.22.0 hooks: From 199f8d40bf883d069be129781873a73a58b99493 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Fri, 16 Jan 2026 15:03:26 +0200 Subject: [PATCH 12/14] Add end-of-file-fixer --- .pre-commit-config.yaml | 1 + Makefile.sub | 1 - alpine/update.sh | 2 -- arch/update.sh | 2 -- archive/centos-6-amd64/update.sh | 1 - archive/centos-7-amd64/update.sh | 1 - archive/centos-8-amd64/update.sh | 1 - archive/centos-stream-8-amd64/update.sh | 1 - archive/manylinux1-wheel-build/Makefile | 1 - archive/manylinux1-wheel-build/README.md | 1 - manylinux2014-wheel-build/Makefile | 1 - manylinux2014-wheel-build/README.md | 1 - manylinux_2_28-wheel-build/Makefile | 1 - manylinux_2_28-wheel-build/README.md | 1 - ubuntu-22.04-jammy-amd64-valgrind/Makefile | 2 -- 15 files changed, 1 insertion(+), 17 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index e0881501..24c1824c 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -7,6 +7,7 @@ repos: - id: check-merge-conflict - id: check-json - id: check-yaml + - id: end-of-file-fixer - repo: https://github.com/python-jsonschema/check-jsonschema rev: 0.36.2 diff --git a/Makefile.sub b/Makefile.sub index 80fdc8b7..251fcac2 100644 --- a/Makefile.sub +++ b/Makefile.sub @@ -34,4 +34,3 @@ clean: .PHONY: shell shell: docker run --rm -it -v $(ROOT):/Pillow $(IMAGENAME):$(BRANCH) /bin/bash - diff --git a/alpine/update.sh b/alpine/update.sh index 4325fa06..80e3f3ba 100755 --- a/alpine/update.sh +++ b/alpine/update.sh @@ -1,4 +1,2 @@ #!/bin/sh docker pull alpine - - diff --git a/arch/update.sh b/arch/update.sh index e252cdc4..71b72845 100755 --- a/arch/update.sh +++ b/arch/update.sh @@ -1,4 +1,2 @@ #!/bin/sh docker pull greyltc/archlinux - - diff --git a/archive/centos-6-amd64/update.sh b/archive/centos-6-amd64/update.sh index 810d17bc..ebaf93f7 100755 --- a/archive/centos-6-amd64/update.sh +++ b/archive/centos-6-amd64/update.sh @@ -1,3 +1,2 @@ #!/bin/sh docker pull centos:6 - diff --git a/archive/centos-7-amd64/update.sh b/archive/centos-7-amd64/update.sh index 919f7678..8c631dbe 100755 --- a/archive/centos-7-amd64/update.sh +++ b/archive/centos-7-amd64/update.sh @@ -1,3 +1,2 @@ #!/bin/sh docker pull centos:7 - diff --git a/archive/centos-8-amd64/update.sh b/archive/centos-8-amd64/update.sh index 2ed0317b..b384fc87 100755 --- a/archive/centos-8-amd64/update.sh +++ b/archive/centos-8-amd64/update.sh @@ -1,3 +1,2 @@ #!/bin/sh docker pull centos:8 - diff --git a/archive/centos-stream-8-amd64/update.sh b/archive/centos-stream-8-amd64/update.sh index f2b52f34..a8014764 100755 --- a/archive/centos-stream-8-amd64/update.sh +++ b/archive/centos-stream-8-amd64/update.sh @@ -1,3 +1,2 @@ #!/bin/sh docker pull quay.io/centos/centos:stream8 - diff --git a/archive/manylinux1-wheel-build/Makefile b/archive/manylinux1-wheel-build/Makefile index d0f2f4b2..835ccd20 100644 --- a/archive/manylinux1-wheel-build/Makefile +++ b/archive/manylinux1-wheel-build/Makefile @@ -43,4 +43,3 @@ clean: .PHONY: shell shell: docker run --rm -it -v $(ROOT):/Pillow $(IMAGENAME):$(BRANCH) /bin/bash - diff --git a/archive/manylinux1-wheel-build/README.md b/archive/manylinux1-wheel-build/README.md index c34ececa..d4519e49 100644 --- a/archive/manylinux1-wheel-build/README.md +++ b/archive/manylinux1-wheel-build/README.md @@ -32,4 +32,3 @@ other images. . * yum_install is syntactic sugar to make the multibuild repo work with the base manylinux wheel image, rather than with it's custom set of images - diff --git a/manylinux2014-wheel-build/Makefile b/manylinux2014-wheel-build/Makefile index 92784d7a..3c21a319 100644 --- a/manylinux2014-wheel-build/Makefile +++ b/manylinux2014-wheel-build/Makefile @@ -46,4 +46,3 @@ clean: .PHONY: shell shell: docker run --rm -it -v $(ROOT):/Pillow $(IMAGENAME):$(BRANCH) /bin/bash - diff --git a/manylinux2014-wheel-build/README.md b/manylinux2014-wheel-build/README.md index 4ea7dfcb..96605188 100644 --- a/manylinux2014-wheel-build/README.md +++ b/manylinux2014-wheel-build/README.md @@ -32,4 +32,3 @@ other images. * yum_install is syntactic sugar to make the multibuild repo work with the base manylinux wheel image, rather than with its custom set of images - diff --git a/manylinux_2_28-wheel-build/Makefile b/manylinux_2_28-wheel-build/Makefile index 9f7021ef..1b79801d 100644 --- a/manylinux_2_28-wheel-build/Makefile +++ b/manylinux_2_28-wheel-build/Makefile @@ -46,4 +46,3 @@ clean: .PHONY: shell shell: docker run --rm -it -v $(ROOT):/Pillow $(IMAGENAME):$(BRANCH) /bin/bash - diff --git a/manylinux_2_28-wheel-build/README.md b/manylinux_2_28-wheel-build/README.md index a0d0e3b0..a5dd8d61 100644 --- a/manylinux_2_28-wheel-build/README.md +++ b/manylinux_2_28-wheel-build/README.md @@ -32,4 +32,3 @@ other images. * yum_install is syntactic sugar to make the multibuild repo work with the base manylinux wheel image, rather than with its custom set of images - diff --git a/ubuntu-22.04-jammy-amd64-valgrind/Makefile b/ubuntu-22.04-jammy-amd64-valgrind/Makefile index c4990273..096cebcd 100644 --- a/ubuntu-22.04-jammy-amd64-valgrind/Makefile +++ b/ubuntu-22.04-jammy-amd64-valgrind/Makefile @@ -36,5 +36,3 @@ build-dbg: dbg: docker run --privileged --rm -it -v $(ROOT):/Pillow $(IMAGENAME)-dbg:$(BRANCH) - - From dc54a36e0dd1fd954b3a9e8d9eda30ccd80af815 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Fri, 16 Jan 2026 15:03:49 +0200 Subject: [PATCH 13/14] Add trailing-whitespace --- .pre-commit-config.yaml | 1 + archive/debian-10-buster-x86/README.txt | 4 ++-- archive/debian-11-bullseye-amd64/README.txt | 4 ++-- archive/debian-11-bullseye-x86/README.txt | 4 ++-- archive/debian-12-bookworm-x86/README.txt | 4 ++-- archive/debian-9-stretch-x86/README.txt | 4 ++-- debian-12-bookworm-amd64/README.txt | 4 ++-- debian-12-bookworm-x86/README.txt | 4 ++-- debian-13-trixie-amd64/README.txt | 4 ++-- debian-13-trixie-x86/README.txt | 4 ++-- 10 files changed, 19 insertions(+), 18 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 24c1824c..283c0612 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -8,6 +8,7 @@ repos: - id: check-json - id: check-yaml - id: end-of-file-fixer + - id: trailing-whitespace - repo: https://github.com/python-jsonschema/check-jsonschema rev: 0.36.2 diff --git a/archive/debian-10-buster-x86/README.txt b/archive/debian-10-buster-x86/README.txt index 625684a1..646a32a0 100644 --- a/archive/debian-10-buster-x86/README.txt +++ b/archive/debian-10-buster-x86/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/archive/debian-11-bullseye-amd64/README.txt b/archive/debian-11-bullseye-amd64/README.txt index 625684a1..646a32a0 100644 --- a/archive/debian-11-bullseye-amd64/README.txt +++ b/archive/debian-11-bullseye-amd64/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/archive/debian-11-bullseye-x86/README.txt b/archive/debian-11-bullseye-x86/README.txt index 625684a1..646a32a0 100644 --- a/archive/debian-11-bullseye-x86/README.txt +++ b/archive/debian-11-bullseye-x86/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/archive/debian-12-bookworm-x86/README.txt b/archive/debian-12-bookworm-x86/README.txt index 625684a1..646a32a0 100644 --- a/archive/debian-12-bookworm-x86/README.txt +++ b/archive/debian-12-bookworm-x86/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/archive/debian-9-stretch-x86/README.txt b/archive/debian-9-stretch-x86/README.txt index 625684a1..646a32a0 100644 --- a/archive/debian-9-stretch-x86/README.txt +++ b/archive/debian-9-stretch-x86/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/debian-12-bookworm-amd64/README.txt b/debian-12-bookworm-amd64/README.txt index 625684a1..646a32a0 100644 --- a/debian-12-bookworm-amd64/README.txt +++ b/debian-12-bookworm-amd64/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/debian-12-bookworm-x86/README.txt b/debian-12-bookworm-x86/README.txt index 625684a1..646a32a0 100644 --- a/debian-12-bookworm-x86/README.txt +++ b/debian-12-bookworm-x86/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/debian-13-trixie-amd64/README.txt b/debian-13-trixie-amd64/README.txt index 625684a1..646a32a0 100644 --- a/debian-13-trixie-amd64/README.txt +++ b/debian-13-trixie-amd64/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. diff --git a/debian-13-trixie-x86/README.txt b/debian-13-trixie-x86/README.txt index 625684a1..646a32a0 100644 --- a/debian-13-trixie-x86/README.txt +++ b/debian-13-trixie-x86/README.txt @@ -1,3 +1,3 @@ -Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. +Update.sh sourced from https://github.com/docker-32bit/debian, and is distributed under the GPL. -Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. +Note that this update script requires sudo access due to the permissions required in the debbootstrap stage and the chroot. From 48bafa99cec7a2f9a71d5ab739e30a79524dd593 Mon Sep 17 00:00:00 2001 From: Hugo van Kemenade <1324225+hugovk@users.noreply.github.com> Date: Fri, 16 Jan 2026 15:06:20 +0200 Subject: [PATCH 14/14] Lint on GitHub Actions --- .github/workflows/lint.yml | 23 +++++++++++++++++++++++ 1 file changed, 23 insertions(+) create mode 100644 .github/workflows/lint.yml diff --git a/.github/workflows/lint.yml b/.github/workflows/lint.yml new file mode 100644 index 00000000..26ef531e --- /dev/null +++ b/.github/workflows/lint.yml @@ -0,0 +1,23 @@ +name: Lint + +on: [push, pull_request, workflow_dispatch] + +permissions: {} + +env: + FORCE_COLOR: 1 + RUFF_OUTPUT_FORMAT: github + +concurrency: + group: ${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - uses: actions/checkout@v6 + with: + persist-credentials: false + - uses: j178/prek-action@v1