From cc32659fadb184f7009476afcff033e815976b70 Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 22 Jul 2024 17:47:00 +0200 Subject: [PATCH 1/2] Add Checkton workflow Checkton is a GitHub action that runs ShellCheck on scripts embedded in YAML files (https://github.com/chmeliik/checkton) Signed-off-by: Adam Cmiel --- .github/workflows/checkton.yaml | 33 +++++++++++++++++++++++++++++++++ 1 file changed, 33 insertions(+) create mode 100644 .github/workflows/checkton.yaml diff --git a/.github/workflows/checkton.yaml b/.github/workflows/checkton.yaml new file mode 100644 index 0000000000..34fc58a84b --- /dev/null +++ b/.github/workflows/checkton.yaml @@ -0,0 +1,33 @@ +name: Checkton +on: + pull_request: + branches: [main] + +jobs: + lint: + runs-on: ubuntu-latest + + steps: + - name: Checkout repository + uses: actions/checkout@v4 + with: + # Differential Checkton requires full git history + fetch-depth: 0 + + - name: Run Checkton + id: checkton + uses: chmeliik/checkton@v0.2.1 + with: + # Set to false when re-enabling SARIF uploads + fail-on-findings: true + find-copies-harder: true + + # Currently, code scanning alerts annoyingly stay open even if you fix them. + # Don't upload SARIF until https://github.com/orgs/community/discussions/132787 is resolved. + + # - name: Upload SARIF file + # uses: github/codeql-action/upload-sarif@v3 + # with: + # sarif_file: ${{ steps.checkton.outputs.sarif }} + # # Avoid clashing with ShellCheck + # category: checkton From 3deb362efb4f81ae245c101670681083eac9aefb Mon Sep 17 00:00:00 2001 From: Adam Cmiel Date: Mon, 22 Jul 2024 18:06:23 +0200 Subject: [PATCH 2/2] Add script for running checkton locally If you don't want to push to a PR just to re-run the linter, you can use this script. Won't work on ARM Macs, sorry! Signed-off-by: Adam Cmiel --- hack/checkton-local.sh | 31 +++++++++++++++++++++++++++++++ 1 file changed, 31 insertions(+) create mode 100755 hack/checkton-local.sh diff --git a/hack/checkton-local.sh b/hack/checkton-local.sh new file mode 100755 index 0000000000..e078d94056 --- /dev/null +++ b/hack/checkton-local.sh @@ -0,0 +1,31 @@ +#!/bin/bash +set -o errexit -o nounset -o pipefail + +get_checkton_image_based_on_action_version() { + sed -nE \ + 's;^\s*uses: (.*)/checkton.*(v[0-9]\S*);ghcr.io/\1/checkton:\2;p' \ + .github/workflows/checkton.yaml +} + +mapfile -t checkton_env_vars < <( + env CHECKTON_FIND_COPIES_HARDER="${CHECKTON_FIND_COPIES_HARDER:-true}" | grep '^CHECKTON_' +) +CHECKTON_IMAGE=${CHECKTON_IMAGE:-$(get_checkton_image_based_on_action_version)} + +{ + echo "Checkton image: $CHECKTON_IMAGE" + + echo "CHECKTON_* variables:" + printf " %s\n" "${checkton_env_vars[@]}" +} >&2 + + +if command -v getenforce >/dev/null && [[ "$(getenforce)" == Enforcing ]]; then + z=":z" +else + z="" +fi + +mapfile -t env_flags < <(printf -- "--env=%s\n" "${checkton_env_vars[@]}") + +podman run --rm --tty -v "$PWD:/code${z}" -w /code "${env_flags[@]}" "$CHECKTON_IMAGE"