Skip to content

feat: Add taplo as TOML formatter and linter #16

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
phuongfi91 merged 1 commit into from
Dec 24, 2025
Merged

feat: Add taplo as TOML formatter and linter #16

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
6 changes: 6 additions & 0 deletions Dockerfile
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -2,6 +2,8 @@

# Version of actionlint to install: latest, or specific version number WITHOUT 'v' prefix e.g. 1.7.5
ARG ACTIONLINT_VERSION=latest
# Version of taplo to install: latest, or specific version number WITHOUT 'v' prefix e.g. 0.10.0
ARG TAPLO_VERSION=latest
# Version of hadolint to install: latest, or specific version number e.g. v2.14.0
ARG HADOLINT_VERSION=latest
# Version of shellcheck to install: latest, or specific version number e.g. v0.11.0
Expand All @@ -17,6 +19,7 @@ ARG SNYK_VERSION=stable

# Images which we can directly copy the binaries from
FROM rhysd/actionlint:${ACTIONLINT_VERSION} AS actionlint
FROM tamasfe/taplo:${TAPLO_VERSION} AS taplo
Copy link

Copilot AI Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

The FROM tamasfe/taplo:${TAPLO_VERSION} AS taplo stage pulls a third-party image using a mutable tag (latest by default), which creates a supply-chain risk if that image or its tag is ever compromised or changed unexpectedly. Because this image is used to provide a binary that runs in your CI/container context, a malicious update could execute arbitrary code with access to your build environment and any associated secrets. Pin this dependency to an immutable reference (such as a specific image digest or vetted fixed version) and manage upgrades explicitly to reduce this attack surface.

Copilot uses AI. Check for mistakes.
FROM hadolint/hadolint:${HADOLINT_VERSION} AS hadolint
FROM koalaman/shellcheck:${SHELLCHECK_VERSION} AS shellcheck
FROM mvdan/shfmt:${SHFMT_VERSION} AS shfmt
Expand Down Expand Up @@ -142,6 +145,9 @@ COPY --from=hadolint /bin/hadolint /usr/local/bin/hadolint
# Install actionlint
COPY --from=actionlint /usr/local/bin/actionlint /usr/local/bin/actionlint

# Install taplo (TOML formatter and linter)
COPY --from=taplo /taplo /usr/local/bin/taplo

# Install shellcheck
# Required for shellcheck vscode extension and actionlint
COPY --from=shellcheck /bin/shellcheck /usr/local/bin/shellcheck
Expand Down
1 change: 1 addition & 0 deletions README.md
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -19,6 +19,7 @@ It contains the necessary dependencies for running various linters and type chec
- `reviewdog` - for code review
- `hadolint` - for linting Dockerfile
- `actionlint` - static checker for GitHub Actions workflow files
- `taplo` - TOML formatter and linter

Alternative unix power tools:

Expand Down
4 changes: 4 additions & 0 deletions tests/specs.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -49,6 +49,10 @@ commandTests:
command: "actionlint"
args: ["--version"]

- name: "taplo is installed in path"
command: "taplo"
args: ["--version"]

Comment on lines +52 to +55
Copy link

@gemini-code-assist gemini-code-assist bot Dec 24, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

To make this test more robust, it's a good practice to also verify the output of the command. This ensures that we are running the correct executable. You can add an expectedOutput field to check for the tool's name in the version string.

  - name: "taplo is installed in path"
    command: "taplo"
    args: ["--version"]
    expectedOutput: ["taplo"]

- name: "watchman is installed in path"
command: "watchman"
args: ["--version"]
Expand Down