chore!: add shell linting to uds-common linting (#258)

defenseunicorns · Oct 4, 2024 · 82e9137 · 82e9137
1 parent 2e57869
commit 82e9137
Show file tree

Hide file tree

Showing 12 changed files with 143 additions and 36 deletions.
diff --git a/.github/workflows/callable-commitlint.yaml b/.github/workflows/callable-commitlint.yaml
@@ -36,4 +36,5 @@ jobs:
           pull_request_title: ${{ github.event.pull_request.title }}
         run: |
           echo "module.exports = {extends: ['@commitlint/config-conventional']}" > commitlint.config.js
+          # shellcheck disable=SC2154
           echo "$pull_request_title" | npx commitlint
diff --git a/.github/workflows/callable-lint.yaml b/.github/workflows/callable-lint.yaml
@@ -38,5 +38,4 @@ jobs:
 
       - name: Lint the repository
         run: |
-          uds run lint:yaml --no-progress
-          uds run lint:oscal --no-progress --set OSCALFILES=./oscal-component.yaml
+          uds run lint:all --no-progress
diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml
@@ -22,7 +22,7 @@ jobs:
         id: tag
         uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3
       - id: release-flag
-        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT
+        run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT"
 
   publish:
     permissions:

diff --git a/tasks/actions.yaml b/tasks/actions.yaml
@@ -64,21 +64,21 @@ tasks:
           CONTAINER_NAME="k3d-uds-server-0"
           if docker ps | grep -q "$CONTAINER_NAME"; then
             echo "Container $CONTAINER_NAME is running. Proceeding with log copy..."
-            docker cp ${CONTAINER_NAME}:/var/log/ /tmp/uds-containerd-logs
+            docker cp "${CONTAINER_NAME}:/var/log/" /tmp/uds-containerd-logs
           else
             echo "Container $CONTAINER_NAME is not running. Skipping log copy."
           fi
 
       - description: Dump Node Logs
         cmd: |
-          docker ps --filter "name=k3d" --format "{{.Names}}" | while read line; do
-            docker logs "$line" 2> /tmp/$line.log
+          docker ps --filter "name=k3d" --format "{{.Names}}" | while read -r line; do
+            docker logs "$line" 2> "/tmp/$line.log"
           done
 
       - description: Fix log permissions
         cmd: |
-          sudo chown $USER /tmp/zarf-*.log || echo ""
-          sudo chown $USER /tmp/uds-*.log || echo ""
+          sudo chown "$USER" /tmp/zarf-*.log || echo ""
+          sudo chown "$USER" /tmp/uds-*.log || echo ""
 
   - name: setup-environment
     description: UDS Environment Setup
@@ -166,7 +166,7 @@ tasks:
     actions:
       - description: Set Arch
         cmd: |
-          ARCH=$(uname -m) && [ "$ARCH" = "x86_64" ] && ARCH='amd64'; [ "$ARCH" = "aarch64" ] && ARCH='arm64'; echo $ARCH
+          ARCH=$(uname -m) && [ "$ARCH" = "x86_64" ] && ARCH='amd64'; [ "$ARCH" = "aarch64" ] && ARCH='arm64'; echo "$ARCH"
         shell:
           linux: bash
           darwin: bash

diff --git a/tasks/create.yaml b/tasks/create.yaml
@@ -16,8 +16,8 @@ tasks:
         default: ${UDS_ARCH}
     actions:
       - cmd: |
-          if [ ${FLAVOR} != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then
-            ./uds zarf package create ${{ .inputs.path }} --confirm --no-progress --architecture=${{ .inputs.architecture }} --flavor ${FLAVOR} ${{ .inputs.options }}
+          if [ "${FLAVOR}" != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then
+            ./uds zarf package create ${{ .inputs.path }} --confirm --no-progress --architecture="${{ .inputs.architecture }}" --flavor="${FLAVOR}" ${{ .inputs.options }}
           else
             echo "Registry1 packages cannot be made for 'arm64'"
           fi
@@ -38,8 +38,8 @@ tasks:
         default: ${UDS_ARCH}
     actions:
       - cmd: |
-          if [ ${FLAVOR} != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then
-            UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds create ${{ .inputs.path }} --confirm --no-progress --architecture=${{ .inputs.architecture }} ${{ .inputs.options }}
+          if [ "${FLAVOR}" != "registry1" ] || [ "${{ .inputs.architecture }}" != "arm64" ]; then
+            UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds create ${{ .inputs.path }} --confirm --no-progress --architecture="${{ .inputs.architecture }}" ${{ .inputs.options }}
           else
             echo "Registry1 bundles cannot be made for 'arm64'"
           fi
diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml
@@ -16,7 +16,7 @@ tasks:
         setVariables:
           - name: PACKAGE_VERSION
       - description: Deploy the UDS Zarf Package
-        cmd: ./uds zarf package deploy ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${PACKAGE_VERSION}.tar.zst --confirm --no-progress ${{ .inputs.options }}
+        cmd: ./uds zarf package deploy "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${PACKAGE_VERSION}.tar.zst" --confirm --no-progress ${{ .inputs.options }}
 
   - name: test-bundle
     inputs:
@@ -38,4 +38,4 @@ tasks:
         setVariables:
           - name: BUNDLE_VERSION
       - description: Deploy the UDS bundle with the package and its dependencies
-        cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds deploy ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst --confirm --no-progress ${{ .inputs.options }}
+        cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds deploy "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst" --confirm --no-progress ${{ .inputs.options }}
diff --git a/tasks/lint.yaml b/tasks/lint.yaml
@@ -1,6 +1,6 @@
 variables:
   - name: OSCALFILES
-    default: ./oscal.yaml
+    default: ./oscal-component.yaml
 
 tasks:
   - name: deps
@@ -9,6 +9,13 @@ tasks:
       - description: Install yamllint via pip
         cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install yamllint>=1.30.0
 
+  - name: all
+    description: Run all linting commands
+    actions:
+      - task: yaml
+      - task: oscal
+      - task: shell
+
   - name: yaml
     description: Run YAML linting checks
     actions:
@@ -20,4 +27,104 @@ tasks:
     description: Run linting checks on OSCAL
     actions:
       - description: Lint OSCAL files
-        cmd: lula tools lint -f $OSCALFILES
+        shell:
+          linux: bash
+          darwin: bash
+        cmd: |
+          IFS=',' read -r -a OSCALARRAY <<< "$OSCALFILES"
+          for file in "${OSCALARRAY[@]}"; do
+            if [ ! -f "$file" ]; then
+              echo "⚠️ WARNING: file $file does not exist."
+              exit 0
+            fi
+          done
+
+          lula tools lint -f "$OSCALFILES"
+
+  - name: shell
+    description: Run shellcheck on all Maru tasks, GitHub workflows, and local shell scripts
+    actions:
+      - description: Lint shell scripts in Maru tasks, GitHub workflows and .sh files
+        shell:
+          linux: bash
+          darwin: bash
+        cmd: |
+          # These settings:
+          # -x Assume files exist (since some scripts run on VMs)
+          # -e SC2016 Ignore unexpanded env vars (since sometimes we want to dynamically add a var to something like .bashrc)
+          # -e SC2050 Ignore if statements that are static (inputs / expressions are filtered for shellcheck to work which in some expressions makes them static)
+          # -e SC2001 Ignore sed replace suggestions (${text//search/replacement} syntax doesn't support regex so this suggestion often won't work)
+          # -e SC2002 Ignore rejection of `cat |` (redirection syntax is not always familiar to developers and while cat _could_ not exist that is extremely unlikely)
+          # -e SC2181 Ignore rejection of $? ($? can be confusing in some circumstances but also more readable in others with more complex commands)
+          export SHELLCHECK_OPTS="-x -e SC2016 -e SC2050 -e SC2001 -e SC2002 -e SC2181"
+
+          # Function to lint scripts inside `---` delimited files
+          lint_scripts() {
+            local file="$1"
+            local raw_scripts="$2"
+
+            echo "Processing $file..."
+
+            # Temporary variable to hold the current element
+            current_element=""
+
+            # Read input line by line
+            while IFS= read -r line; do
+                if [ "$line" = "---" ]; then
+                    # If we hit '---', print the current element if not empty
+                    if [ -n "$current_element" ]; then
+                        echo "$current_element" | shellcheck -
+                        current_element=""
+                    fi
+                else
+                    # Otherwise, keep adding to the current element
+                    current_element="$current_element$line
+                    "
+                fi
+            done <<< "$raw_scripts"
+
+            # Process the last element if it's not empty
+            if [ -n "$current_element" ]; then
+              echo "$current_element" | shellcheck -
+            fi
+          }
+
+          # Lint all scripts in Maru tasks
+          for yaml_file in tasks.yaml tasks/*.yaml; do
+
+            # Look through all of the task actions and format .cmd entries with a dynamic shebang based on .shell.linux
+            yaml_query='.tasks[].actions[] | "---\n#!/bin/"+(.shell.linux // "sh")+"\n"+.cmd'
+
+            # Query the actual YAML file for the commands
+            raw_cmds=$(uds zarf tools yq -r "$yaml_query" "$yaml_file")
+
+            # Strip any ${{ }} templates with the word "maru-expression" for compatibility
+            raw_scripts=$(echo "$raw_cmds" | sed 's/\${{[^}]*}}/maru-expression/g')
+
+            # If this file has scripts, lint them
+            if [ -n "$raw_scripts" ]; then
+              lint_scripts "$yaml_file" "$raw_scripts"
+            fi
+          done
+
+          # Lint all .sh files in the current directory
+          echo "Processing .sh files..."
+          find . -type f -name "*.sh" -exec shellcheck {} +
+
+          # Lint all scripts in GitHub workflows
+          for yaml_file in .github/workflows/*.yaml; do
+
+            # Look through all of the job steps and format .run entries with a dynamic shebang based on .shell
+            yaml_query='.jobs[].steps[] | "---\n#!/bin/"+(.shell // "sh")+"\n"+.run'
+
+            # Query the actual YAML file for the commands
+            raw_runs=$(uds zarf tools yq -r "$yaml_query" "$yaml_file")
+
+            # Strip any ${{ }} templates with the word "github-expression" for compatibility
+            raw_scripts=$(echo "$raw_runs" | sed 's/\${{[^}]*}}/github-expression/g')
+
+            # If this file has scripts, lint them
+            if [ -n "$raw_scripts" ]; then
+              lint_scripts "$yaml_file" "$raw_scripts"
+            fi
+          done
diff --git a/tasks/publish.yaml b/tasks/publish.yaml
@@ -34,7 +34,7 @@ tasks:
           - name: PACKAGE_NAME
       - description: Publish package for the supplied architecture
         cmd: |
-          ./uds zarf package publish ${{ .inputs.path }}/zarf-package-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst oci://${TARGET_REPO}
+          ./uds zarf package publish "${{ .inputs.path }}/zarf-package-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst" "oci://${TARGET_REPO}"
 
   - name: test-bundle
     description: Publish bundle for the supplied architecture
@@ -59,4 +59,4 @@ tasks:
           - name: BUNDLE_NAME
       - description: Publish bundle for the supplied architecture
         cmd: |
-          ./uds publish ${{ .inputs.path }}/uds-bundle-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst oci://${TARGET_REPO}/bundles --no-progress
+          ./uds publish "${{ .inputs.path }}/uds-bundle-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst" "oci://${TARGET_REPO}/bundles" --no-progress
diff --git a/tasks/pull.yaml b/tasks/pull.yaml
@@ -26,17 +26,17 @@ tasks:
         setVariables:
           - name: PACKAGE_NAME
       - description: Get latest tag version from OCI
-        cmd: ./uds zarf tools registry ls ${TARGET_REPO}/${PACKAGE_NAME} | grep ${FLAVOR} | sort -V | tail -1
+        cmd: ./uds zarf tools registry ls "${TARGET_REPO}/${PACKAGE_NAME}" | grep "${FLAVOR}" | sort -V | tail -1
         setVariables:
           - name: LATEST_VERSION
       - description: Pull the latest package release
-        cmd: ./uds zarf package pull oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION} --no-progress -o ${{ .inputs.path }}
+        cmd: ./uds zarf package pull "oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION}" --no-progress -o ${{ .inputs.path }}
       # TODO (@WSTARR): This is currently needed to get around the chicken+egg condition when release please updates the version in GH
       - description: Spoof the latest release to the current version
         cmd: |
-          if [ ${{ .inputs.spoof_release }} != "false" ]; then
+          if [ "${{ .inputs.spoof_release }}" != "false" ]; then
             CURRENT_VERSION=$(cat ${{ .inputs.path }}/zarf.yaml | yq .metadata.version)
-            test -f ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst || mv ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-*.tar.zst ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst
+            test -f "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst" || mv "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-*.tar.zst" "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst"
           fi
 
   - name: latest-bundle-release
@@ -57,15 +57,15 @@ tasks:
         setVariables:
           - name: BUNDLE_NAME
       - description: Get latest tag version from OCI
-        cmd: ./uds zarf tools registry ls ${TARGET_REPO}/bundles/${BUNDLE_NAME} | sort -V | tail -1
+        cmd: ./uds zarf tools registry ls "${TARGET_REPO}/bundles/${BUNDLE_NAME}" | sort -V | tail -1
         setVariables:
           - name: LATEST_VERSION
       - description: Pull the latest bundle release
-        cmd: ./uds pull oci://${TARGET_REPO}/bundles/${BUNDLE_NAME}:${LATEST_VERSION} --no-progress -o ${{ .inputs.path }}
+        cmd: ./uds pull "oci://${TARGET_REPO}/bundles/${BUNDLE_NAME}:${LATEST_VERSION}" --no-progress -o ${{ .inputs.path }}
       # TODO (@ZMILLER): This is currently needed to get around the chicken+egg condition when release please updates the version in GH
       - description: Spoof the latest release to the current version
         cmd: |
-          if [ ${{ .inputs.spoof_release }} != "false" ]; then
+          if [ "${{ .inputs.spoof_release }}" != "false" ]; then
             CURRENT_VERSION=$(cat ${{ .inputs.path }}/uds-bundle.yaml | yq .metadata.version)
-            test -f ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst || mv ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-*.tar.zst ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst
+            test -f "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst" || mv "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-*.tar.zst" "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst"
           fi
diff --git a/tasks/remove.yaml b/tasks/remove.yaml
@@ -19,4 +19,4 @@ tasks:
         setVariables:
           - name: BUNDLE_VERSION
       - description: Remove the UDS bundle with the package and its dependencies
-        cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds remove ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst --confirm --no-progress ${{ .inputs.options }}
+        cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds remove "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst" --confirm --no-progress ${{ .inputs.options }}
diff --git a/tasks/setup.yaml b/tasks/setup.yaml
@@ -41,13 +41,13 @@ tasks:
   - name: print-keycloak-admin-password
     actions:
       - description: Print the default keycloak admin password to standard out (if available)
-        cmd: ./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath={.data.password} | base64 -d
+        cmd: ./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath='{.data.password}' | base64 -d
 
   - name: create-doug-user
     actions:
       - description: Create a user named 'doug' in the uds realm of keycloak (using the default admin account)
         cmd: |
-          KEYCLOAK_ADMIN_PASSWORD=$(./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath={.data.password} | base64 -d)
+          KEYCLOAK_ADMIN_PASSWORD=$(./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath='{.data.password}' | base64 -d)
           KEYCLOAK_ADMIN_TOKEN=$(curl -s --location "https://keycloak.admin.uds.dev/realms/master/protocol/openid-connect/token" \
             --header "Content-Type: application/x-www-form-urlencoded" \
             --data-urlencode "username=admin" \

diff --git a/tasks/upgrade.yaml b/tasks/upgrade.yaml
@@ -48,33 +48,33 @@ tasks:
         cmd: git fetch --tags
 
       - description: Clone latest tag
-        cmd: git clone --depth 1 --branch $(git describe --tags `git rev-list --tags --max-count=1`) $(git remote get-url origin) upgrade-test
+        cmd: git clone --depth 1 --branch "$(git describe --tags "$(git rev-list --tags --max-count=1)")" "$(git remote get-url origin)" upgrade-test
 
       - description: Create test bundle
         shell:
           linux: bash
           darwin: bash
         cmd: |
           BUNDLE_VERSION=$(cat ${{ .inputs.bundle_path }}/uds-bundle.yaml | ./uds zarf tools yq .metadata.version)
-          cd upgrade-test
+          cd upgrade-test || exit
 
           # VARIABLES
           PACKAGE_NAME=$(cat ${{ .inputs.path }}/zarf.yaml | yq .metadata.name)
-          LATEST_VERSION=$(./uds zarf tools registry ls ${TARGET_REPO}/${PACKAGE_NAME} | grep ${FLAVOR} | sort -V | tail -1)
+          LATEST_VERSION=$(./uds zarf tools registry ls "${TARGET_REPO}/${PACKAGE_NAME}" | grep "${FLAVOR}" | sort -V | tail -1)
           BUNDLE_NAME=$(cat ${{ .inputs.bundle_path }}/uds-bundle.yaml | ./uds zarf tools yq .metadata.name)
           PREVIOUS_BUNDLE_VERSION=$(cat ${{ .inputs.bundle_path }}/uds-bundle.yaml | ./uds zarf tools yq .metadata.version)
 
           # Pulls latest published zarf package
           ./uds zarf package pull \
-            oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION} \
+            "oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION}" \
             --no-progress \
             -o ${{ .inputs.path }}
 
           # Run any dependency commands (i.e. uds run dependencies:create)
           sh -c "${{ .inputs.dep_commands }}"
 
           # Checks if the zarf package is registry1 and ARM
-          if [ ${FLAVOR} != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then
+          if [ "${FLAVOR}" != "registry1" ] || [ "${{ .inputs.architecture }}" != "arm64" ]; then
 
             # Creates and moves the bundle into the correct spot
             ./uds create ${{ .inputs.bundle_path }} \
@@ -83,7 +83,7 @@ tasks:
               --no-progress \
               ${{ .inputs.options }}
 
-            mv ${{ .inputs.bundle_path }}/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${PREVIOUS_BUNDLE_VERSION}.tar.zst ../bundle/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${BUNDLE_VERSION}.tar.zst
+            mv "${{ .inputs.bundle_path }}/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${PREVIOUS_BUNDLE_VERSION}.tar.zst" "../bundle/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${BUNDLE_VERSION}.tar.zst"
           else
             echo "::warning::⚠️ Registry1 bundles cannot be made for 'arm64'"
             exit 1