feat: Add taplo as TOML formatter and linter

[phuongfi91]

PR Type

Enhancement

---

Description

• Add taplo TOML formatter and linter to Docker image

• Configure taplo version argument with latest default

• Copy taplo binary from official image to container

• Add taplo installation verification test

---

Diagram Walkthrough

flowchart LR
  A["Dockerfile Configuration"] -->|Add TAPLO_VERSION arg| B["Build Stage"]
  B -->|Copy from tamasfe/taplo| C["Install taplo Binary"]
  C -->|Verify installation| D["Test Suite"]
  E["README.md"] -->|Document taplo| F["Tool List"]

Loading

File Walkthrough

	Relevant files
Enhancement	Dockerfile Add taplo installation to Docker image                                      Dockerfile Add TAPLO_VERSION build argument with latest as default value Add taplo build stage from tamasfe/taplo image Copy taplo binary from build stage to /usr/local/bin/taplo Add comment documenting taplo as TOML formatter and linter +6/-0
Documentation	README.md Document taplo tool in README                                                        README.md Add taplo to the list of installed tools with description +1/-0
Tests	specs.yaml Add taplo installation verification test                                  tests/specs.yaml Add test case to verify taplo is installed and accessible in PATH Test runs taplo --version command to confirm installation +4/-0

---

[gemini-code-assist]

Summary of Changes

Hello @phuongfi91, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request introduces taplo, a dedicated TOML formatter and linter, into the project's Docker image. This enhancement aims to improve the quality and consistency of TOML configuration files by providing a robust tool for their management and validation. The changes encompass integrating taplo into the Docker build process, updating the project documentation, and adding a new test to ensure its proper installation and functionality.

Highlights

• Taplo Integration: The Dockerfile has been updated to include taplo, a TOML formatter and linter, allowing for consistent formatting and validation of TOML files within the environment.
• Documentation Update: The README.md file has been updated to reflect the addition of taplo to the list of available tools, providing clear information for users.
• Test Coverage: A new test case has been added to tests/specs.yaml to verify that taplo is correctly installed and accessible within the Docker image.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[qodo-code-review]

PR Compliance Guide 🔍

Below is a summary of compliance checks for this PR:

Security Compliance
⚪	Supply chain risk Description: The new TAPLO_VERSION=latest build arg and FROM tamasfe/taplo:${TAPLO_VERSION} introduce a supply-chain risk because a mutable/unpinned image tag (especially latest) can change over time and could deliver a compromised taplo binary into the final image; prefer pinning to an immutable digest (e.g., tamasfe/taplo@sha256:...) or enforcing a fixed version and/or verifying the binary (checksum/signature) before installing. Dockerfile [5-22] Referred Code # Version of taplo to install: latest, or specific version number WITHOUT 'v' prefix e.g. 0.10.0 ARG TAPLO_VERSION=latest # Version of hadolint to install: latest, or specific version number e.g. v2.14.0 ARG HADOLINT_VERSION=latest # Version of shellcheck to install: latest, or specific version number e.g. v0.11.0 ARG SHELLCHECK_VERSION=latest # Version of shfmt to install: latest, or specific version number e.g. v3.12.0 ARG SHFMT_VERSION=latest # Version of uv to install: latest, or specific version number e.g. v0.9.17 ARG UV_VERSION=latest # Version of reviewdog to install: latest, or specific version number e.g. v0.21.0 ARG REVIEWDOG_VERSION=latest # Version of Snyk to install: stable, latest, or specific version number e.g. v1.1301.1 ARG SNYK_VERSION=stable # Images which we can directly copy the binaries from FROM rhysd/actionlint:${ACTIONLINT_VERSION} AS actionlint FROM tamasfe/taplo:${TAPLO_VERSION} AS taplo
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
⚪	Codebase context is not defined Follow the guide to enable codebase context checks.
Custom Compliance
🟢	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed Learn more about managing compliance generic rules or creating your own custom rules
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Passed Learn more about managing compliance generic rules or creating your own custom rules

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

[gemini-code-assist]

Code Review

This pull request adds taplo, a TOML formatter and linter, to the development Docker image. The changes are well-structured, including updates to the Dockerfile to install taplo, modification of the README.md to document its inclusion, and an addition to tests/specs.yaml to verify its installation. My review includes one suggestion to improve the new test case for better robustness.

[gemini-code-assist]

To make this test more robust, it's a good practice to also verify the output of the command. This ensures that we are running the correct executable. You can add an expectedOutput field to check for the tool's name in the version string.

  - name: "taplo is installed in path"
    command: "taplo"
    args: ["--version"]
    expectedOutput: ["taplo"]

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Fix Taplo test YAML indentation Correct the indentation of the args key in the taplo test case within tests/specs.yaml to properly nest it under its parent item. tests/specs.yaml [52-54] - name: "taplo is installed in path" command: "taplo" - args: ["--version"] + args: ["--version"] Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a YAML indentation error that would cause the test for taplo to fail, making this a critical fix for the PR's verification step.	High
	Correct version format in comment Update the comment for TAPLO_VERSION to reflect the correct version format (vX.Y.Z) used by tamasfe/taplo Docker tags, removing the "WITHOUT 'v' prefix" instruction. Dockerfile [5-6] -# Version of taplo to install: latest, or specific version number WITHOUT 'v' prefix e.g. 0.10.0 +# Version of taplo to install: latest, or specific version number e.g. v0.10.0 ARG TAPLO_VERSION=latest Apply / Chat Suggestion importance[1-10]: 6 __ Why: The suggestion correctly identifies that the comment for TAPLO_VERSION provides an incorrect example version format ("WITHOUT 'v' prefix"), which would cause build failures if a user follows it.	Low
More

[Copilot]

Pull request overview

This PR adds taplo as a TOML formatter and linter to the Python development image, providing developers with a tool for formatting and linting TOML configuration files.

Key Changes:

• Added taplo binary installation from the official Docker image
• Added installation verification test
• Updated documentation to list taplo as an available tool

Reviewed changes

Copilot reviewed 3 out of 3 changed files in this pull request and generated 1 comment.

File	Description
Dockerfile	Added ARG for taplo version, FROM statement to pull taplo image, and COPY command to install taplo binary
tests/specs.yaml	Added test to verify taplo is installed and accessible via --version flag
README.md	Added taplo to the list of included linters and formatters with description

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The FROM tamasfe/taplo:${TAPLO_VERSION} AS taplo stage pulls a third-party image using a mutable tag (latest by default), which creates a supply-chain risk if that image or its tag is ever compromised or changed unexpectedly. Because this image is used to provide a binary that runs in your CI/container context, a malicious update could execute arbitrary code with access to your build environment and any associated secrets. Pin this dependency to an immutable reference (such as a specific image digest or vetted fixed version) and manage upgrades explicitly to reduce this attack surface.