actuarysailor
diff --git a/‎.dockerignore
Lines changed: 5 additions & 0 deletions b/‎.dockerignore
Lines changed: 5 additions & 0 deletions
diff --git a/‎.github/workflows/build-image-test.yaml
Lines changed: 37 additions & 15 deletions b/‎.github/workflows/build-image-test.yaml
Lines changed: 37 additions & 15 deletions
diff --git a/‎.github/workflows/build-image.yaml
Lines changed: 41 additions & 45 deletions b/‎.github/workflows/build-image.yaml
Lines changed: 41 additions & 45 deletions
diff --git a/‎.pre-commit-hooks.yaml
Lines changed: 82 additions & 0 deletions b/‎.pre-commit-hooks.yaml
Lines changed: 82 additions & 0 deletions
diff --git a/‎Dockerfile
Lines changed: 10 additions & 0 deletions b/‎Dockerfile
Lines changed: 10 additions & 0 deletions
@@ -3,3 +3,8 @@
 !Dockerfile
 !tools/entrypoint.sh
 !tools/install/*.sh
+!hooks/
+!lib_getopt
+!src/
+!hooks/*.sh
+!lib_getopt
@@ -18,17 +18,23 @@ jobs:
 
     strategy:
       matrix:
-        arch:
-        - amd64
-        - arm64
         include:
         - os-name: Ubuntu x64
           os: ubuntu-latest
           arch: amd64
-
+          dockerfile: Dockerfile
         - os-name: Ubuntu ARM
           os: ubuntu-24.04-arm
           arch: arm64
+          dockerfile: Dockerfile
+        - os-name: Ubuntu x64 (tools)
+          os: ubuntu-latest
+          arch: amd64
+          dockerfile: Dockerfile.tools
+        - os-name: Ubuntu ARM (tools)
+          os: ubuntu-24.04-arm
+          arch: arm64
+          dockerfile: Dockerfile.tools
 
     name: ${{ matrix.os-name }}
     runs-on: ${{ matrix.os }}
@@ -45,27 +51,29 @@ jobs:
         files: |
           .dockerignore
           .github/workflows/build-image-test.yaml
-          Dockerfile
+          ${{ matrix.dockerfile }}
           tools/entrypoint.sh
           tools/install/*.sh
 
     - name: Set IMAGE environment variable
       if: steps.changed-files-specific.outputs.any_changed == 'true'
-      # Lowercase the org/repo name to allow for workflow to run in forks,
-      # which owners have uppercase letters in username
-      run: >-
-        echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}"
-        >> $GITHUB_ENV
+      run: |
+        if [[ "${{ matrix.dockerfile }}" == "Dockerfile" ]]; then
+          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}" >> $GITHUB_ENV
+        else
+          echo "IMAGE=ghcr.io/${GITHUB_REPOSITORY@L}:${{ env.IMAGE_TAG }}-tools" >> $GITHUB_ENV
+        fi
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
       if: steps.changed-files-specific.outputs.any_changed == 'true'
 
-    - name: Build if Dockerfile changed
+    - name: Build if "${{ matrix.dockerfile }}" changed
       if: steps.changed-files-specific.outputs.any_changed == 'true'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
+        file: ${{ matrix.dockerfile }}
         build-args: |
           INSTALL_ALL=true
         push: false
@@ -98,8 +106,7 @@ jobs:
         IMAGE_NAME: ${{ env.IMAGE }}
       run: >-
         container-structure-test test
-        --config ${{ github.workspace
-        }}/.github/.container-structure-test-config.yaml
+        --config ${{ github.workspace }}/.github/.container-structure-test-config.yaml
         --image "${IMAGE_NAME}"
 
     - name: Dive - check image for waste files
@@ -112,8 +119,9 @@ jobs:
 
     # Can't build both platforms and use --load at the same time
     # https://github.com/docker/buildx/issues/59#issuecomment-1433097926
-    - name: Build Multi-arch docker-image
-      if: >-
+    # Build Multi-arch docker-image
+    - name: Build Multi-arch "${{ matrix.dockerfile }}"
+      if: >
         steps.changed-files-specific.outputs.any_changed == 'true'
         && matrix.os == 'ubuntu-latest'
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
@@ -128,3 +136,17 @@ jobs:
         provenance: false
         secrets: |
           "github_token=${{ secrets.GITHUB_TOKEN }}"
+
+    # Only run smoke tests for the tools image
+    - name: Smoke test tools image
+      if: >
+        steps.changed-files-specific.outputs.any_changed == 'true'
+        && matrix.os == 'ubuntu-latest'
+        && matrix.dockerfile == 'Dockerfile.tools'
+      env:
+        TOOLS_IMAGE: ${{ env.IMAGE }}
+      run: |
+        echo "Testing tools image: $TOOLS_IMAGE"
+        docker run --rm "$TOOLS_IMAGE" terraform --version
+        docker run --rm "$TOOLS_IMAGE" terraform-docs --version
+        docker run --rm "$TOOLS_IMAGE" tflint --version
@@ -6,18 +6,26 @@ on:
     types:
     - created
   schedule:
-  - cron: 00 00 * * *
+  - cron: 00 00 * * 0
 
 permissions:
   contents: read
+  # for docker/build-push-action to publish docker image
+  packages: write
+
+env:
+  REGISTRY: ghcr.io
 
 jobs:
   docker:
-    permissions:
-      # for docker/build-push-action to publish docker image
-      packages: write
-
     runs-on: ubuntu-latest
+    strategy:
+      matrix:
+        include:
+        - dockerfile: Dockerfile
+          image_name: ${{ github.repository }}
+        - dockerfile: Dockerfile.tools
+          image_name: ${{ github.repository }}-tools
     steps:
     - name: Checkout code
       uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683  # v4.2.2
@@ -26,60 +34,48 @@ jobs:
 
     - name: Set up Docker Buildx
       uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
+
     - name: Login to GitHub Container Registry
       uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1  # v3.5.0
       with:
-        registry: ghcr.io
-        username: ${{ github.repository_owner }}
+        registry: ${{ env.REGISTRY }}
+        username: ${{ github.actor }}
         password: ${{ secrets.GITHUB_TOKEN }}
-    - name: Set tag for image
-      env:
-        REF_TYPE: ${{ github.ref_type }}
-        REF_NAME: ${{ github.ref_name }}
-      run: >-
-        echo IMAGE_TAG=$(
-        [ $REF_TYPE == 'tag' ]
-        && echo $REF_NAME
-        || echo 'latest'
-        ) >> $GITHUB_ENV
-
-    - name: Set IMAGE_REPO environment variable
-      # Lowercase the org/repo name to allow for workflow to run in forks,
-      # which owners have uppercase letters in username
-      run: >-
-        echo "IMAGE_REPO=ghcr.io/${GITHUB_REPOSITORY@L}" >> $GITHUB_ENV
-    - name: Set up Docker Buildx
-      uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435  # v3.11.1
 
-    - name: Build and Push release
-      if: github.event_name != 'schedule'
-      uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
+    - name: Extract metadata (tags, labels) for Docker
+      id: meta
+      uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f
       with:
-        context: .
-        build-args: |
-          INSTALL_ALL=true
-        platforms: linux/amd64,linux/arm64
-        push: true
+        images: ${{ env.REGISTRY }}/${{ matrix.image_name }}
         tags: |
-          ${{ env.IMAGE_REPO }}:${{ env.IMAGE_TAG }}
-          ${{ env.IMAGE_REPO }}:latest
-        # Fix multi-platform: https://github.com/docker/buildx/issues/1533
-        provenance: false
-        secrets: |
-          "github_token=${{ secrets.GITHUB_TOKEN }}"
+          type=ref,event=branch
+          type=ref,event=pr
+          type=sha
+          type=raw,value=latest,enable={{is_default_branch}}
+          type=raw,value={{github.ref_name}},enable={{github.ref_type == 'tag'}}
+          type=raw,value=nightly,enable={{github.event_name == 'schedule'}}
 
-    - name: Build and Push nightly
-      if: github.event_name == 'schedule'
+    - name: Build and Push release
       uses: docker/build-push-action@263435318d21b8e681c14492fe198d362a7d2c83  # v6.18.0
       with:
         context: .
+        file: ${{ matrix.dockerfile }}
         build-args: |
           INSTALL_ALL=true
         platforms: linux/amd64,linux/arm64
         push: true
-        tags: |
-          ${{ env.IMAGE_REPO }}:nightly
+        tags: ${{ steps.meta.outputs.tags }}
+        labels: ${{ steps.meta.outputs.labels }}
         # Fix multi-platform: https://github.com/docker/buildx/issues/1533
         provenance: false
-        secrets: |
-          "github_token=${{ secrets.GITHUB_TOKEN }}"
+
+    - name: Test tools image
+      if: matrix.dockerfile == 'Dockerfile.tools' && github.event_name != 'schedule'
+      env:
+        IMAGE_TAGS: ${{ steps.meta.outputs.tags }}
+      run: |
+        IMAGE_TAG=$(echo "$IMAGE_TAGS" | head -n1)
+        echo "Testing tools image: $IMAGE_TAG"
+        docker run --rm "$IMAGE_TAG" terraform --version
+        docker run --rm "$IMAGE_TAG" terraform-docs --version
+        docker run --rm "$IMAGE_TAG" tflint --version
@@ -178,3 +178,85 @@
   - --args=terraform
   files: \.(tf|tofu)$
   require_serial: true
+
+# Docker-based versions of hooks (non-breaking additions)
+- id: terraform_fmt_docker
+  name: Terraform fmt (Docker)
+  description: >-
+    Rewrites all Terraform configuration files to a canonical format using Docker.
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [terraform, fmt]
+  files: \.(tf|tofu|tfvars|tftest\.hcl|tfmock\.hcl)$
+  exclude: \.terraform/.*$
+
+- id: terraform_validate_docker
+  name: Terraform validate (Docker)
+  description: Validates all Terraform configuration files using Docker.
+  require_serial: true
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [terraform, validate]
+  pass_filenames: false
+  files: \.(tf|tofu|tfvars|terraform\.lock\.hcl)$
+  exclude: \.terraform/.*$
+
+- id: terraform_tflint_docker
+  name: Terraform validate with tflint (Docker)
+  description: Validates all Terraform configuration files with TFLint using
+    Docker.
+  require_serial: true
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [tflint, --chdir=.]
+  pass_filenames: false
+  files: \.(tf|tofu|tfvars)$
+  exclude: \.terraform/.*$
+
+- id: terraform_docs_docker
+  name: Terraform docs (Docker)
+  description: >-
+    Inserts input and output documentation into README.md using Docker.
+  require_serial: true
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [terraform-docs, markdown, table, ., --output-file, README.md]
+  pass_filenames: false
+  files: \.(tf|tofu|terraform\.lock\.hcl)$
+  exclude: \.terraform/.*$
+
+- id: terraform_checkov_docker
+  name: Checkov (Docker)
+  description: Runs checkov on Terraform templates using Docker.
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [checkov, -d, .]
+  pass_filenames: false
+  always_run: false
+  files: \.(tf|tofu)$
+  exclude: \.terraform/.*$
+  require_serial: true
+
+- id: terraform_trivy_docker
+  name: Terraform validate with trivy (Docker)
+  description: >-
+    Static analysis of Terraform templates to spot potential security issues
+    using Docker.
+  require_serial: true
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [trivy, config, .]
+  pass_filenames: false
+  files: \.(tf|tofu|tfvars)$
+  exclude: \.terraform/.*$
+
+- id: infracost_breakdown_docker
+  name: Infracost breakdown (Docker)
+  description: Check terraform infrastructure cost using Docker.
+  entry: ghcr.io/actuarysailor/pre-commit-terraform-tools:latest
+  language: docker_image
+  args: [infracost, breakdown, --path, .]
+  pass_filenames: false
+  require_serial: true
+  files: \.(tf|tofu|tfvars|hcl)$
+  exclude: \.terraform/.*$
@@ -135,6 +135,11 @@ COPY --from=builder /usr/local/lib/python3.12/site-packages/ /usr/local/lib/pyth
 # Copy terrascan policies
 COPY --from=builder /root/ /root/
 
+# Copy hook scripts for Docker-based hooks
+COPY hooks/ /usr/local/bin/hooks/
+COPY lib_getopt /usr/local/bin/
+COPY src/pre_commit_terraform/ /usr/local/lib/python3.12/site-packages/pre_commit_terraform/
+
 # Install hooks extra deps
 RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" = "" ]; then \
         apk add --no-cache perl=~5 \
@@ -148,6 +153,11 @@ RUN if [ "$(grep -o '^terraform-docs SKIPPED$' /usr/bin/tools_versions_info)" =
 
 COPY tools/entrypoint.sh /entrypoint.sh
 
+# Copy hook scripts for docker_image language support
+COPY hooks/ /usr/bin/hooks/
+COPY lib_getopt /usr/bin/lib_getopt
+RUN chmod +x /usr/bin/hooks/*.sh
+
 ENV PRE_COMMIT_COLOR=${PRE_COMMIT_COLOR:-always}
 
 ENV INFRACOST_API_KEY=${INFRACOST_API_KEY:-}