diff --git a/.github/workflows/callable-commitlint.yaml b/.github/workflows/callable-commitlint.yaml index 629eaa95..79215a14 100644 --- a/.github/workflows/callable-commitlint.yaml +++ b/.github/workflows/callable-commitlint.yaml @@ -36,4 +36,5 @@ jobs: pull_request_title: ${{ github.event.pull_request.title }} run: | echo "module.exports = {extends: ['@commitlint/config-conventional']}" > commitlint.config.js + # shellcheck disable=SC2154 echo "$pull_request_title" | npx commitlint diff --git a/.github/workflows/callable-lint.yaml b/.github/workflows/callable-lint.yaml index 476762b6..c9dad354 100644 --- a/.github/workflows/callable-lint.yaml +++ b/.github/workflows/callable-lint.yaml @@ -38,5 +38,4 @@ jobs: - name: Lint the repository run: | - uds run lint:yaml --no-progress - uds run lint:oscal --no-progress --set OSCALFILES=./oscal-component.yaml + uds run lint:all --no-progress diff --git a/.github/workflows/release.yaml b/.github/workflows/release.yaml index ded25d0a..93258cbe 100644 --- a/.github/workflows/release.yaml +++ b/.github/workflows/release.yaml @@ -22,7 +22,7 @@ jobs: id: tag uses: googleapis/release-please-action@7987652d64b4581673a76e33ad5e98e3dd56832f # v4.1.3 - id: release-flag - run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> $GITHUB_OUTPUT + run: echo "release_created=${{ steps.tag.outputs.release_created || false }}" >> "$GITHUB_OUTPUT" publish: permissions: diff --git a/tasks/actions.yaml b/tasks/actions.yaml index 49d37ad3..5be293f4 100644 --- a/tasks/actions.yaml +++ b/tasks/actions.yaml @@ -64,21 +64,21 @@ tasks: CONTAINER_NAME="k3d-uds-server-0" if docker ps | grep -q "$CONTAINER_NAME"; then echo "Container $CONTAINER_NAME is running. Proceeding with log copy..." - docker cp ${CONTAINER_NAME}:/var/log/ /tmp/uds-containerd-logs + docker cp "${CONTAINER_NAME}:/var/log/" /tmp/uds-containerd-logs else echo "Container $CONTAINER_NAME is not running. Skipping log copy." fi - description: Dump Node Logs cmd: | - docker ps --filter "name=k3d" --format "{{.Names}}" | while read line; do - docker logs "$line" 2> /tmp/$line.log + docker ps --filter "name=k3d" --format "{{.Names}}" | while read -r line; do + docker logs "$line" 2> "/tmp/$line.log" done - description: Fix log permissions cmd: | - sudo chown $USER /tmp/zarf-*.log || echo "" - sudo chown $USER /tmp/uds-*.log || echo "" + sudo chown "$USER" /tmp/zarf-*.log || echo "" + sudo chown "$USER" /tmp/uds-*.log || echo "" - name: setup-environment description: UDS Environment Setup @@ -166,7 +166,7 @@ tasks: actions: - description: Set Arch cmd: | - ARCH=$(uname -m) && [ "$ARCH" = "x86_64" ] && ARCH='amd64'; [ "$ARCH" = "aarch64" ] && ARCH='arm64'; echo $ARCH + ARCH=$(uname -m) && [ "$ARCH" = "x86_64" ] && ARCH='amd64'; [ "$ARCH" = "aarch64" ] && ARCH='arm64'; echo "$ARCH" shell: linux: bash darwin: bash diff --git a/tasks/create.yaml b/tasks/create.yaml index ed890099..8bf4a8dd 100644 --- a/tasks/create.yaml +++ b/tasks/create.yaml @@ -16,8 +16,8 @@ tasks: default: ${UDS_ARCH} actions: - cmd: | - if [ ${FLAVOR} != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then - ./uds zarf package create ${{ .inputs.path }} --confirm --no-progress --architecture=${{ .inputs.architecture }} --flavor ${FLAVOR} ${{ .inputs.options }} + if [ "${FLAVOR}" != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then + ./uds zarf package create ${{ .inputs.path }} --confirm --no-progress --architecture="${{ .inputs.architecture }}" --flavor="${FLAVOR}" ${{ .inputs.options }} else echo "Registry1 packages cannot be made for 'arm64'" fi @@ -38,8 +38,8 @@ tasks: default: ${UDS_ARCH} actions: - cmd: | - if [ ${FLAVOR} != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then - UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds create ${{ .inputs.path }} --confirm --no-progress --architecture=${{ .inputs.architecture }} ${{ .inputs.options }} + if [ "${FLAVOR}" != "registry1" ] || [ "${{ .inputs.architecture }}" != "arm64" ]; then + UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds create ${{ .inputs.path }} --confirm --no-progress --architecture="${{ .inputs.architecture }}" ${{ .inputs.options }} else echo "Registry1 bundles cannot be made for 'arm64'" fi diff --git a/tasks/deploy.yaml b/tasks/deploy.yaml index fdf3ea80..f506c008 100644 --- a/tasks/deploy.yaml +++ b/tasks/deploy.yaml @@ -16,7 +16,7 @@ tasks: setVariables: - name: PACKAGE_VERSION - description: Deploy the UDS Zarf Package - cmd: ./uds zarf package deploy ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${PACKAGE_VERSION}.tar.zst --confirm --no-progress ${{ .inputs.options }} + cmd: ./uds zarf package deploy "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${PACKAGE_VERSION}.tar.zst" --confirm --no-progress ${{ .inputs.options }} - name: test-bundle inputs: @@ -38,4 +38,4 @@ tasks: setVariables: - name: BUNDLE_VERSION - description: Deploy the UDS bundle with the package and its dependencies - cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds deploy ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst --confirm --no-progress ${{ .inputs.options }} + cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds deploy "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst" --confirm --no-progress ${{ .inputs.options }} diff --git a/tasks/lint.yaml b/tasks/lint.yaml index 099a23f5..5628d447 100644 --- a/tasks/lint.yaml +++ b/tasks/lint.yaml @@ -1,6 +1,6 @@ variables: - name: OSCALFILES - default: ./oscal.yaml + default: ./oscal-component.yaml tasks: - name: deps @@ -9,6 +9,13 @@ tasks: - description: Install yamllint via pip cmd: CMD=pip && which $CMD || CMD=pip3 && $CMD install yamllint>=1.30.0 + - name: all + description: Run all linting commands + actions: + - task: yaml + - task: oscal + - task: shell + - name: yaml description: Run YAML linting checks actions: @@ -20,4 +27,104 @@ tasks: description: Run linting checks on OSCAL actions: - description: Lint OSCAL files - cmd: lula tools lint -f $OSCALFILES + shell: + linux: bash + darwin: bash + cmd: | + IFS=',' read -r -a OSCALARRAY <<< "$OSCALFILES" + for file in "${OSCALARRAY[@]}"; do + if [ ! -f "$file" ]; then + echo "⚠️ WARNING: file $file does not exist." + exit 0 + fi + done + + lula tools lint -f "$OSCALFILES" + + - name: shell + description: Run shellcheck on all Maru tasks, GitHub workflows, and local shell scripts + actions: + - description: Lint shell scripts in Maru tasks, GitHub workflows and .sh files + shell: + linux: bash + darwin: bash + cmd: | + # These settings: + # -x Assume files exist (since some scripts run on VMs) + # -e SC2016 Ignore unexpanded env vars (since sometimes we want to dynamically add a var to something like .bashrc) + # -e SC2050 Ignore if statements that are static (inputs / expressions are filtered for shellcheck to work which in some expressions makes them static) + # -e SC2001 Ignore sed replace suggestions (${text//search/replacement} syntax doesn't support regex so this suggestion often won't work) + # -e SC2002 Ignore rejection of `cat |` (redirection syntax is not always familiar to developers and while cat _could_ not exist that is extremely unlikely) + # -e SC2181 Ignore rejection of $? ($? can be confusing in some circumstances but also more readable in others with more complex commands) + export SHELLCHECK_OPTS="-x -e SC2016 -e SC2050 -e SC2001 -e SC2002 -e SC2181" + + # Function to lint scripts inside `---` delimited files + lint_scripts() { + local file="$1" + local raw_scripts="$2" + + echo "Processing $file..." + + # Temporary variable to hold the current element + current_element="" + + # Read input line by line + while IFS= read -r line; do + if [ "$line" = "---" ]; then + # If we hit '---', print the current element if not empty + if [ -n "$current_element" ]; then + echo "$current_element" | shellcheck - + current_element="" + fi + else + # Otherwise, keep adding to the current element + current_element="$current_element$line + " + fi + done <<< "$raw_scripts" + + # Process the last element if it's not empty + if [ -n "$current_element" ]; then + echo "$current_element" | shellcheck - + fi + } + + # Lint all scripts in Maru tasks + for yaml_file in tasks.yaml tasks/*.yaml; do + + # Look through all of the task actions and format .cmd entries with a dynamic shebang based on .shell.linux + yaml_query='.tasks[].actions[] | "---\n#!/bin/"+(.shell.linux // "sh")+"\n"+.cmd' + + # Query the actual YAML file for the commands + raw_cmds=$(uds zarf tools yq -r "$yaml_query" "$yaml_file") + + # Strip any ${{ }} templates with the word "maru-expression" for compatibility + raw_scripts=$(echo "$raw_cmds" | sed 's/\${{[^}]*}}/maru-expression/g') + + # If this file has scripts, lint them + if [ -n "$raw_scripts" ]; then + lint_scripts "$yaml_file" "$raw_scripts" + fi + done + + # Lint all .sh files in the current directory + echo "Processing .sh files..." + find . -type f -name "*.sh" -exec shellcheck {} + + + # Lint all scripts in GitHub workflows + for yaml_file in .github/workflows/*.yaml; do + + # Look through all of the job steps and format .run entries with a dynamic shebang based on .shell + yaml_query='.jobs[].steps[] | "---\n#!/bin/"+(.shell // "sh")+"\n"+.run' + + # Query the actual YAML file for the commands + raw_runs=$(uds zarf tools yq -r "$yaml_query" "$yaml_file") + + # Strip any ${{ }} templates with the word "github-expression" for compatibility + raw_scripts=$(echo "$raw_runs" | sed 's/\${{[^}]*}}/github-expression/g') + + # If this file has scripts, lint them + if [ -n "$raw_scripts" ]; then + lint_scripts "$yaml_file" "$raw_scripts" + fi + done diff --git a/tasks/publish.yaml b/tasks/publish.yaml index 3c7ec640..d30f980b 100644 --- a/tasks/publish.yaml +++ b/tasks/publish.yaml @@ -34,7 +34,7 @@ tasks: - name: PACKAGE_NAME - description: Publish package for the supplied architecture cmd: | - ./uds zarf package publish ${{ .inputs.path }}/zarf-package-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst oci://${TARGET_REPO} + ./uds zarf package publish "${{ .inputs.path }}/zarf-package-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst" "oci://${TARGET_REPO}" - name: test-bundle description: Publish bundle for the supplied architecture @@ -59,4 +59,4 @@ tasks: - name: BUNDLE_NAME - description: Publish bundle for the supplied architecture cmd: | - ./uds publish ${{ .inputs.path }}/uds-bundle-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst oci://${TARGET_REPO}/bundles --no-progress + ./uds publish "${{ .inputs.path }}/uds-bundle-${{ .inputs.name }}-${{ .inputs.architecture }}-${{ .inputs.version }}.tar.zst" "oci://${TARGET_REPO}/bundles" --no-progress diff --git a/tasks/pull.yaml b/tasks/pull.yaml index 327c928c..d6d25681 100644 --- a/tasks/pull.yaml +++ b/tasks/pull.yaml @@ -26,17 +26,17 @@ tasks: setVariables: - name: PACKAGE_NAME - description: Get latest tag version from OCI - cmd: ./uds zarf tools registry ls ${TARGET_REPO}/${PACKAGE_NAME} | grep ${FLAVOR} | sort -V | tail -1 + cmd: ./uds zarf tools registry ls "${TARGET_REPO}/${PACKAGE_NAME}" | grep "${FLAVOR}" | sort -V | tail -1 setVariables: - name: LATEST_VERSION - description: Pull the latest package release - cmd: ./uds zarf package pull oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION} --no-progress -o ${{ .inputs.path }} + cmd: ./uds zarf package pull "oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION}" --no-progress -o ${{ .inputs.path }} # TODO (@WSTARR): This is currently needed to get around the chicken+egg condition when release please updates the version in GH - description: Spoof the latest release to the current version cmd: | - if [ ${{ .inputs.spoof_release }} != "false" ]; then + if [ "${{ .inputs.spoof_release }}" != "false" ]; then CURRENT_VERSION=$(cat ${{ .inputs.path }}/zarf.yaml | yq .metadata.version) - test -f ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst || mv ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-*.tar.zst ${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst + test -f "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst" || mv "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-*.tar.zst" "${{ .inputs.path }}/zarf-package-${PACKAGE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst" fi - name: latest-bundle-release @@ -57,15 +57,15 @@ tasks: setVariables: - name: BUNDLE_NAME - description: Get latest tag version from OCI - cmd: ./uds zarf tools registry ls ${TARGET_REPO}/bundles/${BUNDLE_NAME} | sort -V | tail -1 + cmd: ./uds zarf tools registry ls "${TARGET_REPO}/bundles/${BUNDLE_NAME}" | sort -V | tail -1 setVariables: - name: LATEST_VERSION - description: Pull the latest bundle release - cmd: ./uds pull oci://${TARGET_REPO}/bundles/${BUNDLE_NAME}:${LATEST_VERSION} --no-progress -o ${{ .inputs.path }} + cmd: ./uds pull "oci://${TARGET_REPO}/bundles/${BUNDLE_NAME}:${LATEST_VERSION}" --no-progress -o ${{ .inputs.path }} # TODO (@ZMILLER): This is currently needed to get around the chicken+egg condition when release please updates the version in GH - description: Spoof the latest release to the current version cmd: | - if [ ${{ .inputs.spoof_release }} != "false" ]; then + if [ "${{ .inputs.spoof_release }}" != "false" ]; then CURRENT_VERSION=$(cat ${{ .inputs.path }}/uds-bundle.yaml | yq .metadata.version) - test -f ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst || mv ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-*.tar.zst ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst + test -f "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst" || mv "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-*.tar.zst" "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${CURRENT_VERSION}.tar.zst" fi diff --git a/tasks/remove.yaml b/tasks/remove.yaml index 074760b5..edc617f3 100644 --- a/tasks/remove.yaml +++ b/tasks/remove.yaml @@ -19,4 +19,4 @@ tasks: setVariables: - name: BUNDLE_VERSION - description: Remove the UDS bundle with the package and its dependencies - cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds remove ${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst --confirm --no-progress ${{ .inputs.options }} + cmd: UDS_CONFIG=${{ .inputs.path }}/${{ .inputs.config }} ./uds remove "${{ .inputs.path }}/uds-bundle-${BUNDLE_NAME}-${UDS_ARCH}-${BUNDLE_VERSION}.tar.zst" --confirm --no-progress ${{ .inputs.options }} diff --git a/tasks/setup.yaml b/tasks/setup.yaml index e34f0355..96a51c8a 100644 --- a/tasks/setup.yaml +++ b/tasks/setup.yaml @@ -41,13 +41,13 @@ tasks: - name: print-keycloak-admin-password actions: - description: Print the default keycloak admin password to standard out (if available) - cmd: ./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath={.data.password} | base64 -d + cmd: ./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath='{.data.password}' | base64 -d - name: create-doug-user actions: - description: Create a user named 'doug' in the uds realm of keycloak (using the default admin account) cmd: | - KEYCLOAK_ADMIN_PASSWORD=$(./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath={.data.password} | base64 -d) + KEYCLOAK_ADMIN_PASSWORD=$(./uds zarf tools kubectl get secret -n keycloak keycloak-admin-password -o jsonpath='{.data.password}' | base64 -d) KEYCLOAK_ADMIN_TOKEN=$(curl -s --location "https://keycloak.admin.uds.dev/realms/master/protocol/openid-connect/token" \ --header "Content-Type: application/x-www-form-urlencoded" \ --data-urlencode "username=admin" \ diff --git a/tasks/upgrade.yaml b/tasks/upgrade.yaml index 4935daa0..c1db029a 100644 --- a/tasks/upgrade.yaml +++ b/tasks/upgrade.yaml @@ -48,7 +48,7 @@ tasks: cmd: git fetch --tags - description: Clone latest tag - cmd: git clone --depth 1 --branch $(git describe --tags `git rev-list --tags --max-count=1`) $(git remote get-url origin) upgrade-test + cmd: git clone --depth 1 --branch "$(git describe --tags "$(git rev-list --tags --max-count=1)")" "$(git remote get-url origin)" upgrade-test - description: Create test bundle shell: @@ -56,17 +56,17 @@ tasks: darwin: bash cmd: | BUNDLE_VERSION=$(cat ${{ .inputs.bundle_path }}/uds-bundle.yaml | ./uds zarf tools yq .metadata.version) - cd upgrade-test + cd upgrade-test || exit # VARIABLES PACKAGE_NAME=$(cat ${{ .inputs.path }}/zarf.yaml | yq .metadata.name) - LATEST_VERSION=$(./uds zarf tools registry ls ${TARGET_REPO}/${PACKAGE_NAME} | grep ${FLAVOR} | sort -V | tail -1) + LATEST_VERSION=$(./uds zarf tools registry ls "${TARGET_REPO}/${PACKAGE_NAME}" | grep "${FLAVOR}" | sort -V | tail -1) BUNDLE_NAME=$(cat ${{ .inputs.bundle_path }}/uds-bundle.yaml | ./uds zarf tools yq .metadata.name) PREVIOUS_BUNDLE_VERSION=$(cat ${{ .inputs.bundle_path }}/uds-bundle.yaml | ./uds zarf tools yq .metadata.version) # Pulls latest published zarf package ./uds zarf package pull \ - oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION} \ + "oci://${TARGET_REPO}/${PACKAGE_NAME}:${LATEST_VERSION}" \ --no-progress \ -o ${{ .inputs.path }} @@ -74,7 +74,7 @@ tasks: sh -c "${{ .inputs.dep_commands }}" # Checks if the zarf package is registry1 and ARM - if [ ${FLAVOR} != "registry1" ] || [ ${{ .inputs.architecture }} != "arm64" ]; then + if [ "${FLAVOR}" != "registry1" ] || [ "${{ .inputs.architecture }}" != "arm64" ]; then # Creates and moves the bundle into the correct spot ./uds create ${{ .inputs.bundle_path }} \ @@ -83,7 +83,7 @@ tasks: --no-progress \ ${{ .inputs.options }} - mv ${{ .inputs.bundle_path }}/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${PREVIOUS_BUNDLE_VERSION}.tar.zst ../bundle/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${BUNDLE_VERSION}.tar.zst + mv "${{ .inputs.bundle_path }}/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${PREVIOUS_BUNDLE_VERSION}.tar.zst" "../bundle/uds-bundle-${BUNDLE_NAME}-${{ .inputs.architecture }}-${BUNDLE_VERSION}.tar.zst" else echo "::warning::⚠️ Registry1 bundles cannot be made for 'arm64'" exit 1