digicatapult · dblane-digicatapult · Mar 22, 2024 · Mar 20, 2024 · Mar 20, 2024 · Mar 20, 2024
diff --git a/.github/workflows/lint.yaml b/.github/workflows/lint.yaml
@@ -0,0 +1,24 @@
+name: lint
+
+on: [push]
+
+jobs:
+  lint:
+    name: Run ShellCheck
+    runs-on: ubuntu-latest
+
+    steps:
+    - name: Check out code
+      uses: actions/checkout@v4
+
+    - name: Install ShellCheck
+      run: sudo apt-get install shellcheck
+
+    - name: Find shell scripts with \#!/bin/sh and run ShellCheck
+      run: |
+        files=$(find . -type f ! -path '*/\.*' -exec grep -lE '^#!(/usr)?/bin/sh' {} +)
+        if [ -n "$files" ]; then
+          shellcheck -a -S warning -s sh $files
+        else
+          echo "No shell scripts with #!/bin/sh shebang found."
+        fi
diff --git a/.shellcheckrc b/.shellcheckrc
@@ -0,0 +1 @@
+disable=SC1090
diff --git a/check-pots.sh b/check-pots.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 
 # Debug any running pots by performing a basic healthcheck
 
 check_tree() {
     if [ -e $1 ]; then
-        if [ $(ls $1 | wc -l) = 0 ]; then
+        if [ "$(ls $1 | wc -l)" -eq 0 ]; then
             echo "[debug] $1 for $pot is empty"
         fi
     else
@@ -16,13 +16,13 @@ check_tree() {
 check_pot() {
     # Are needed rcvars enabled for the pot?
     rcvar=$(pot exec -p $pot sysrc sshd_enable)
-    if [ $(echo $rcvar | grep -o NO ) ]; then
+    if [ "$(echo $rcvar | grep -o NO )" ]; then
         echo "[warning] sshd is disabled on $pot"
     fi
 
     # Is the pot configured to use pkg?
     for pkg in pkg64 pkg64c pk64cb; do
-        if [ -z $(pot exec -p $pot which $pkg) ]; then
+        if [ -z "$(pot exec -p $pot which $pkg)" ]; then
             echo "[warning] $pkg on $pot was not found"
         fi
 
@@ -40,7 +40,7 @@ check_pot() {
 
 echo "[debug] attempting healthchecks on all pots currently active"
 pots=$(pot ps | grep -v '===' | wc -l)
-if [ $(echo $pots) > 0 ]; then
+if [ "$(echo $pots)" -gt 0 ]; then
     for pot in $pots; do
         echo "[debug] checking $pot"
         check_pot

diff --git a/config.sh b/config.sh
@@ -1,15 +1,17 @@
 #!/bin/sh
-set -eo pipefail
-SCRIPTDIR=$(realpath $(dirname $0))
+set -e
+SCRIPTDIR=$(realpath "$(dirname $0)")
 
-if [ "$1" != '--url' -o "$3" != '--token' ] ; then
+if [ "$1" != '--url' ] || [ "$3" != '--token' ]; then
+	# shellcheck disable=all
 	echo usage ./config.sh --url https://github.com/{account}/{repo} --token {token}
 	echo Copy this command from the GitHub actions runner setup page
 	exit 1
 fi
 
 # Generate a random string for the runner name, if using config.sh without variables
-export RANDOM=$(LC_ALL=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 8)
+RANDOM="$(LC_ALL=C tr -dc 'a-zA-Z0-9' < /dev/urandom | head -c 8)"
+export RANDOM
 . ${SCRIPTDIR}/check-envs.sh
 
 mkdir -p ${RUNNER_CONFIG_DIRECTORY}

diff --git a/create-base.sh b/create-base.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -eo pipefail
+set -e
 if [ ! "${CHERIBSD_BUILD_ID}" ]; then
     mkdir -p /usr/local/share/freebsd/MANIFESTS/
     ARCH=$(curl -s \
@@ -14,7 +14,7 @@ if [ ! "${CHERIBSD_BUILD_ID}" ]; then
     CHERIBSD_BUILD_ID=$(echo $ARCH | awk -F " " '{print $NF}')
 fi
 
-if [ ! $(pot ls -b | grep -o ${CHERIBSD_BUILD_ID}) ]; then
+if [ ! "$(pot ls -b | grep -o "${CHERIBSD_BUILD_ID}")" ]; then
     echo Creating base pot for $CHERIBSD_BUILD_ID
 
     pot create-base -r $CHERIBSD_BUILD_ID

diff --git a/create-runner.sh b/create-runner.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -eo pipefail
+set -e
 
 EXTRA_FLAVOURS=
 if [ "${RUNNER_FLAVOURS}" ] ; then

diff --git a/flavours/github-act-configure.sh b/flavours/github-act-configure.sh
@@ -13,7 +13,7 @@ ARCH=$(curl -s \
     grep -Eo "\w{1,}\.\w{1,}" | sort -u)
 CHERIBSD_BUILD_ID=$(echo ${ARCH} | awk -F " " '{print $NF}')
 # Configure the runner
-cd /root/runner
+cd /root/runner || return 1
 GODEBUG="asyncpreemptoff=1" /usr/local64/bin/github-act-runner configure \
     --url "${GITHUB_URL}" \
     --token "${GITHUB_TOKEN}" \

diff --git a/flavours/github-act.sh b/flavours/github-act.sh
@@ -1,15 +1,18 @@
 #!/bin/sh
 export PAGER=/bin/cat
 
+# Source os-release to get the OS name
+. /etc/os-release
+
 # Update to the latest stable release
-case $( . /etc/os-release; echo $NAME ) in
-    FreeBSD)
+if [ "$NAME" = "FreeBSD" ]; then
     freebsd-update --not-running-from-cron fetch install
-    ;&
-    CheriBSD)
-    echo skipped freebsd-update for CheriBSD
-    ;;
-esac
+    echo "FreeBSD update completed."
+fi
+
+if [ "$NAME" = "CheriBSD" ]; then
+    echo "skipped freebsd-update for $NAME"
+fi
 
 pkg64 install -y git node bash
 

diff --git a/get_token.sh b/get_token.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -eo pipefail
+set -e
 
 # Ensure GITHUB_PAT and GITHUB_ORG environment variables are set
 if [ -z "$GITHUB_PAT" ] || [ -z "$GITHUB_ORG" ]; then

diff --git a/gh_actions b/gh_actions
@@ -5,6 +5,8 @@
 # BEFORE: securelevel
 # KEYWORD: shutdown
 
+# shellcheck disable=SC2034
+
 . /etc/rc.subr
 
 PATH=$PATH:/usr/local64/bin
@@ -22,8 +24,8 @@ gh_actions_running=/var/run/github-runners
 
 gh_actions_start()
 {
-	local POT
 	touch /var/run/github-runners
+	# shellcheck disable=SC2154
 	for RUNNER_NAME in ${gh_actions_pots} ; do
 		export RUNNER_NAME
 		run-actions-runner.sh > /dev/null 2> /dev/null &
@@ -46,7 +48,7 @@ gh_actions_stop()
 					sleep 1
 					# FIXME: This is racy.
 					if [ -f /var/run/github-runners.${RUNNER_NAME} ]; then
-						kill `cat /var/run/github-runners.${RUNNER_NAME}`
+						kill "$(cat "/var/run/github-runners.${RUNNER_NAME}")"
 					fi
 				fi
 			fi
@@ -61,7 +63,7 @@ gh_actions_stop()
 				while [ -f /var/run/github-runners.${RUNNER_NAME} ]; do
 					sleep 1
 					COUNT=$(expr $COUNT + 1)
-					if [ $(expr $COUNT % 10) -eq 0 ] ; then
+					if [ "$(expr $COUNT % 10)" -eq 0 ] ; then
 						echo Waiting for ${RUNNER_NAME} to exit...
 					fi
 				done
@@ -77,11 +79,11 @@ gh_actions_status()
 	for RUNNER_NAME in ${gh_actions_pots} ; do
 		pot info -qr -p ${RUNNER_NAME}-ephemeral > /dev/null 2>&1
 		if [ $? -eq 0 ] ; then
-			echo -n ${RUNNER_NAME} pot running
+			printf "%s" "${RUNNER_NAME} pot running"
 			if [ -f /var/run/github-runners.${RUNNER_NAME} ]; then
-				echo " managed by process $(cat /var/run/github-runners.${RUNNER_NAME})"
+				printf " managed by process %s\n" "$(cat /var/run/github-runners.${RUNNER_NAME})"
 			else
-				echo " but appears to be orphaned"
+				printf " but appears to be orphaned\n"
 			fi
 		fi
 	done

diff --git a/install.sh b/install.sh
@@ -1,13 +1,13 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 POT=$(which pot)
 FLAVOURS=$(dirname ${POT})/../etc/pot/flavours
 if [ ! -d ${FLAVOURS} ]; then
 	echo "Can't locate pot install"
 	exit 1
 fi
 
-echo Installing flavours to $(realpath ${FLAVOURS})
+echo Installing flavours to "$(realpath ${FLAVOURS})"
 install -m 644 flavours/github-act flavours/github-act-configured ${FLAVOURS}
 install flavours/bootstrap ${FLAVOURS}
 install flavours/github-act ${FLAVOURS}

diff --git a/jobs/clean-pots.sh b/jobs/clean-pots.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 
 # Remove any misconfigured jails
 

diff --git a/jobs/count-pots.sh b/jobs/count-pots.sh
@@ -1,11 +1,11 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 
 # Print health status
 
 pots=$(pot ls -p -q | wc -l)
 runners=$(sysrc gh_actions_pots | wc -l)
-if [ "$(echo $pots)" > 0 ] || [ "$(echo $runners)" > 0 ]; then
+if [ "$(echo $pots)" -gt 0 ] || [ "$(echo $runners)" -gt 0 ]; then
     echo "Runner health check: $(date -R)
 $pots pot(s) found
 $runners runner(s) configured to start automatically"

diff --git a/jobs/restart-actions.sh b/jobs/restart-actions.sh
@@ -4,15 +4,15 @@
 
 old_set=$(sysrc -n -q gh_actions_pots)
 new_set=$(pot ls -p -q | grep -i "cheribsd" | grep -v "-ephemeral")
-if [ ! "$(echo $old_set)" == "$(echo $new_set)" ]; then
+if [ ! "$(echo $old_set)" = "$(echo $new_set)" ]; then
     echo "Adding new runners to rc.conf:" $new_set
     sysrc -q -x gh_actions_pots
     echo gh_actions_pots=\"$new_set\" >> /etc/rc.conf
 fi
 
 # Restart the host's GitHub Actions service
 
-if [ "$(sysrc -n gh_actions_enable)" == "YES" ]; then
+if [ "$(sysrc -n gh_actions_enable)" = "YES" ]; then
     echo "Starting all available runners"
     service gh_actions start
 fi
diff --git a/jobs/scrub-pool.sh b/jobs/scrub-pool.sh
@@ -1,9 +1,9 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 
 # Perform consistency checks on ZFS pools
 
-if [ $(zpool status | grep -c ONLINE) > 0 ]; then
+if [ "$(zpool status | grep -c ONLINE)" -gt 0 ]; then
     for pool in $(zpool list -o name | tail -n 1); do
         /sbin/zpool scrub $pool
     done

diff --git a/recreate-runner.sh b/recreate-runner.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
-set -eo pipefail
-SCRIPTDIR=$(realpath $(dirname $0))
+set -e
+SCRIPTDIR=$(realpath "$(dirname $0)")
 . ${SCRIPTDIR}/check-envs.sh
 
 # We are going to reinject the configuration from a prior config directory,

diff --git a/run-actions-runner.sh b/run-actions-runner.sh
@@ -1,5 +1,5 @@
 #!/bin/sh
-set -euo pipefail
+set -eu
 if [ -f /var/run/github-runners.${RUNNER_NAME} ]; then
 	echo ${RUNNER_NAME} already running.
 	echo Please delete /var/run/github-runners.${RUNNER_NAME} if the system did not gracefully shut down.