ci: build locally with kaniko + push to DockerHub

* add hadolint Dockerfile linter step
* update Dockerfile to implement hadolint suggestions (cbp)
* switch to immawanderer/drone-kaniko as the kaniko flavour of choice

.drone.yml

@@ -1,50 +1,62 @@
 ---
 kind: pipeline
 type: docker
-name: dockerhub-build-trigger
+name: testing
 
 platform:
   os: linux
   arch: amd64
 
-clone:
-  disable: true
-
 steps:
-- name: call webhook
+- name: hadolint
   pull: always
-  image: bash:latest
+  image: hadolint/hadolint:v1.23.0-8-gb01c5a9-alpine
-  environment:
-    ENDPOINT:
-      from_secret: DOCKERHUB_ENDPOINT
   commands:
-  - apk add --no-cache curl
+  - hadolint --version
-  - curl -sO https://git.dotya.ml/${DRONE_REPO}/raw/branch/master/curl.it
+  - hadolint Dockerfile
-  - bash ./curl.it $ENDPOINT
+  when:
+    ref:
+    - refs/heads/master
+    - "refs/heads/feature-**"
+    - "refs/pull/**"
+    - "refs/tags/**"
+    event:
+      exclude: [cron]
 
-trigger:
+- name: kaniko-build
-  branch:
-  - master
-  event:
-  - push
-  - cron
-
----
-kind: pipeline
-type: docker
-name: kaniko-build
-
-platform:
-  os: linux
-  arch: amd64
-
-steps:
-- name: build
   pull: always
   image: immawanderer/drone-kaniko:efd19c50
   settings:
     dockerfile: Dockerfile
     context: .
+  when:
+    ref:
+    - "refs/heads/feature-**"
+    - "refs/pull/**"
+    - "refs/tags/**"
+    event:
+      exclude: [cron]
+
+- name: kaniko-publish
+  pull: always
+  image: immawanderer/drone-kaniko:efd19c50
+  settings:
+    dockerfile: Dockerfile
+    context: .
+    tags:
+    - latest
+    - linux-amd64
+    - ${DRONE_COMMIT_SHA:0:8}
+    repo: immawanderer/alpine-android
+    username:
+      from_secret: docker_username
+    password:
+      from_secret: docker_password
+  when:
+    ref:
+    - refs/heads/master
+    event:
+      exclude: [pull_request, tag]
+trigger:
+  event: [push, pull_request, cron, tag]
 
-depends_on:
-- dockerhub-build-trigger

.hadolint.yaml

@@ -0,0 +1,15 @@
+ignored:
+  # ad "SC2028" we actually want that here
+  - SC2028
+  # ad "DL4006" no luck - sh doesn't know `set -o pipefail`
+  - DL4006
+  # ad "DL3018" ignore recommendation to pin apk package versions
+  - DL3018
+  # ad "SC2016" we actually don't want that here and now
+  - SC2016
+  # ad "SC2039" that still works
+  - SC2039
+  # ad "DL4005" TODO - set SHELL
+  - DL4005
+  # ad "SC2086" precisely that one cannot be quoted
+  - SC2086

Dockerfile

@@ -1,3 +1,8 @@
+# syntax=docker/dockerfile:1.2
+# refs:
+#   https://docs.docker.com/develop/develop-images/build_enhancements/#overriding-default-frontends
+#   https://pythonspeed.com/articles/docker-buildkit/
+
 FROM frolvlad/alpine-java:jdk8-full as build
 ARG BUILD_DATE
 ARG VCS_REF
@@ -18,13 +23,13 @@ RUN apk update
 RUN apk add --no-cache binutils ca-certificates curl git openssl unzip --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing
 
 WORKDIR /tmp
-RUN curl -o sdk.zip -s https://dl.google.com/android/repository/sdk-tools-linux-${VERSION_SDK_TOOLS}.zip
+RUN curl -o sdk.zip -s https://dl.google.com/android/repository/sdk-tools-linux-"${VERSION_SDK_TOOLS}".zip
-RUN unzip ./sdk.zip -d ${ANDROID_SDK_ROOT}
+RUN unzip ./sdk.zip -d "${ANDROID_SDK_ROOT}"
 RUN rm -f ./sdk.zip
 
-RUN curl -o tools.zip -s https://dl.google.com/android/repository/commandlinetools-linux-${VERSION_TOOLS}_latest.zip \
+RUN curl -o tools.zip -s https://dl.google.com/android/repository/commandlinetools-linux-"${VERSION_TOOLS}"_latest.zip \
- && mkdir -p ${ANDROID_SDK_ROOT}/cmdline-tools \
+ && mkdir -p "${ANDROID_SDK_ROOT}"/cmdline-tools \
- && unzip ./tools.zip -d ${ANDROID_SDK_ROOT}/cmdline-tools \
+ && unzip ./tools.zip -d "${ANDROID_SDK_ROOT}"/cmdline-tools \
  && rm -v ./tools.zip
 
 RUN mkdir -p $ANDROID_SDK_ROOT/licenses/ \
@@ -32,14 +37,14 @@ RUN mkdir -p $ANDROID_SDK_ROOT/licenses/ \
  && echo "84831b9409646a918e30573bab4c9c91346d8abd\n504667f4c0de7af1a06de9f4b1727b84351f2910" > $ANDROID_SDK_ROOT/licenses/android-sdk-preview-license \
  && yes | ${ANDROID_SDK_ROOT}/cmdline-tools/tools/bin/sdkmanager --sdk_root=${ANDROID_SDK_ROOT} --licenses >/dev/null
 
-ADD packages.txt ${ANDROID_SDK_ROOT}
+COPY packages.txt "${ANDROID_SDK_ROOT}"
-RUN mkdir -p /$(whoami)/.android
+RUN mkdir -p /"$(whoami)"/.android
-RUN touch /$(whoami)/.android/repositories.cfg
+RUN touch /"$(whoami)"/.android/repositories.cfg
 
-RUN yes | ${ANDROID_SDK_ROOT}/tools/bin/sdkmanager --verbose --licenses
+RUN yes | "${ANDROID_SDK_ROOT}"/tools/bin/sdkmanager --verbose --licenses
-RUN ${ANDROID_SDK_ROOT}/tools/bin/sdkmanager --verbose --update
+RUN "${ANDROID_SDK_ROOT}"/tools/bin/sdkmanager --verbose --update
 
-RUN while read -r package; do PACKAGES="${PACKAGES}${package} "; done < ${ANDROID_SDK_ROOT}/packages.txt && ${ANDROID_SDK_ROOT}/tools/bin/sdkmanager --verbose ${PACKAGES}
+RUN while read -r package; do PACKAGES="${PACKAGES}${package} "; done < "${ANDROID_SDK_ROOT}"/packages.txt && ${ANDROID_SDK_ROOT}/tools/bin/sdkmanager --verbose ${PACKAGES}
 
 FROM adoptopenjdk/openjdk11:alpine-slim
 COPY --from=build /tmp/sdk /sdk
@@ -56,7 +61,7 @@ ENV GRADLE_VERSION "7.0-milestone-3"
 RUN apk add --no-cache bash curl git vim xz --repository=http://dl-cdn.alpinelinux.org/alpine/edge/testing
 
 # gradle pls
-RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch ${ASDF_VERSION} \
+RUN git clone https://github.com/asdf-vm/asdf.git ~/.asdf --branch "${ASDF_VERSION}" \
     && sed -i 's/\/bin\/ash/\/bin\/bash/' /etc/passwd && cat /etc/passwd \
     && echo -e '\n. $HOME/.asdf/asdf.sh' >> ~/.bashrc \
     && echo -e '\n. $HOME/.asdf/completions/asdf.bash' >> ~/.bashrc \