Use pipe fail, quote array expansion and prevent word globbing

.github/workflows/on_pr.yml

@@ -0,0 +1,88 @@
+---
+name: Pull Request
+
+on:
+  pull_request:
+    branches:
+      - main
+
+  push:
+    branches:
+      - main
+    # Don't trigger if it's just a documentation update
+    paths:
+      - "rust/**"
+      - "Dockerfile"
+      - "Dockerfile.build_binary"
+      - "rootfs/**"
+      - "downloads/**"
+      - ".env"
+
+# Set workflow-wide environment variables
+#  - REPO: repo name on dockerhub
+#  - IMAGE: image name on dockerhub
+env:
+  #  DOCKERHUB_REPO: sdr-enthusiasts
+  #  DOCKERHUB_IMAGE: vrs
+  GHCR_IMAGE: sdr-enthusiasts/docker-adsb-ultrafeeder
+  GHCR_REGISTRY: ghcr.io
+  GH_LABEL: main
+  GHCR_TAG: latest
+
+jobs:
+  hadolint:
+    name: Run hadolint against docker files
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/[email protected]
+      - name: Pull hadolint/hadolint:latest Image
+        run: docker pull hadolint/hadolint:latest
+      - name: Run hadolint against Dockerfiles
+        run: docker run --rm -i -v "$PWD":/workdir --workdir /workdir --entrypoint hadolint hadolint/hadolint --ignore DL3015 --ignore DL3003 --ignore DL3006 --ignore DL3010 --ignore DL4001 --ignore DL3007 --ignore DL3008 --ignore SC2068 --ignore DL3007 --ignore SC1091 --ignore DL3013 --ignore DL3010 $(find . -type f -iname "Dockerfile*")
+
+  deploy:
+    name: Deploy without telegraf
+    uses: sdr-enthusiasts/common-github-workflows/.github/workflows/build_and_push_image.yml@main
+    with:
+      push_enabled: false
+      push_destinations: ghcr.io
+      ghcr_repo_owner: ${{ github.repository_owner }}
+      ghcr_repo: ${{ github.repository }}
+      get_version_method: file_in_container:file=/CONTAINER_VERSION
+      # set build_latest to true if github.event.inputs.use_test_image is false
+      build_latest: true
+      build_baseimage_test: false
+      # only build the entire stack if we are not using the test image
+      build_version_specific: false
+      build_platform_specific: false
+      build_nohealthcheck: false
+      build_baseimage_url: docker-tar1090:latest/docker-tar1090:baseimage-test
+    secrets:
+      ghcr_token: ${{ secrets.GITHUB_TOKEN }}
+
+  # unfortunately we can't use build_and_push_image.yml to build the telegraf label because
+  # that GH Action doesn't have the capability to build specific custom-named labels
+
+  deploy_with_telegraf:
+    name: Deploy with telegraf and healthcheck
+    uses: sdr-enthusiasts/common-github-workflows/.github/workflows/build_and_push_image.yml@main
+    with:
+      push_enabled: false
+      push_destinations: ghcr.io
+      ghcr_repo_owner: ${{ github.repository_owner }}
+      ghcr_repo: ${{ github.repository }}
+      get_version_method: file_in_container:file=/CONTAINER_VERSION
+      # set build_latest to true if github.event.inputs.use_test_image is false
+      build_latest: true
+      build_baseimage_test: false
+      build_baseimage_url: docker-tar1090:telegraf/docker-tar1090:telegraf-baseimage-test
+      # only build the entire stack if we are not using the test image
+      build_version_specific: false
+      build_platform_specific: false
+      build_nohealthcheck: false
+      docker_latest_tag: telegraf
+      dockerfile_changes: |
+        docker-tar1090:latest/docker-tar1090:telegraf
+
+    secrets:
+      ghcr_token: ${{ secrets.GITHUB_TOKEN }}

Dockerfile

@@ -6,8 +6,8 @@ ENV URL_MLAT_CLIENT_REPO="https://github.com/wiedehopf/mlat-client.git" \
     PRIVATE_MLAT="false" \
     MLAT_INPUT_TYPE="auto"
 
-RUN set -x && \
-    TEMP_PACKAGES=() && \
+SHELL ["/bin/bash", "-x", "-o", "pipefail", "-c"]
+RUN TEMP_PACKAGES=() && \
     KEPT_PACKAGES=() && \
     # Git and net-tools are needed to install and run @Mikenye's HealthCheck framework
     KEPT_PACKAGES+=(git) && \
@@ -31,8 +31,8 @@ RUN set -x && \
     # Install all these packages:
     apt-get update -q -y && \
     apt-get install -o Dpkg::Options::="--force-confnew" -y --no-install-recommends -q \
-    ${KEPT_PACKAGES[@]} \
-    ${TEMP_PACKAGES[@]} && \
+    "${KEPT_PACKAGES[@]}" \
+    "${TEMP_PACKAGES[@]}" && \
     #
     # Compile and Install the mlat_client
     mkdir -p /git && \
@@ -45,7 +45,7 @@ RUN set -x && \
     rm -rf /git && \
     #
     # Clean up and install POST_PACKAGES:
-    apt-get remove -q -y ${TEMP_PACKAGES[@]} && \
+    apt-get remove -q -y "${TEMP_PACKAGES[@]}" && \
     # apt-get install -o Dpkg::Options::="--force-confnew" -y --no-install-recommends -q \
     # ${POST_PACKAGES[@]} && \
     apt-get autoremove -q -o APT::Autoremove::RecommendsImportant=0 -o APT::Autoremove::SuggestsImportant=0 -y && \
@@ -63,7 +63,7 @@ COPY rootfs/ /
 RUN set -x && \
     branch="##BRANCH##" && \
     [[ "${branch:0:1}" == "#" ]] && branch="main" || true && \
-    git clone --depth=1 -b $branch https://github.com/sdr-enthusiasts/docker-adsb-ultrafeeder.git /tmp/clone && \
+    git clone --depth=1 -b "$branch" https://github.com/sdr-enthusiasts/docker-adsb-ultrafeeder.git /tmp/clone && \
     pushd /tmp/clone && \
     echo "$(TZ=UTC date +%Y%m%d-%H%M%S)_$(git rev-parse --short HEAD)_$(git branch --show-current)" > /.CONTAINER_VERSION && \
     popd && \