-
Notifications
You must be signed in to change notification settings - Fork 1.2k
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Add actionlint
as a pre-commit hook (with shellcheck integration)
#15021
Conversation
ff6b181
to
ad00186
Compare
|
|
||
# shellcheck disable=SC2046 | ||
docker buildx imagetools create \ | ||
"${annotations[@]}" \ | ||
$(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This might actually be ok to quote but it's ok for now to disable this as we might need to test this a bit to verify.
But, the other one is probably correct to ignore because it contains glob *
character.
@@ -46,6 +46,7 @@ jobs: | |||
run: cargo build --locked | |||
- name: Fuzz | |||
run: | | |||
# shellcheck disable=SC2046 |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
It might be ok to quote this:
"$(shuf ...)"
Although I don't really have a linux machine to test. I'd be fine to ignore this.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I checked it on my Mac, and the command copied-and-pasted into my shell works as it currently is on main
, but adding the quoting breaks it. It's possible it might be different on Linux, but it's also just quite nice to use commands in our GitHub workflows that I can test locally
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
I see, let's keep it disabled then. Thanks for testing it.
exclude: .github/workflows/release.yml | ||
args: | ||
- "-ignore=SC2129" # ignorable stylistic lint from shellcheck | ||
- "-ignore=SC2016" # another shellcheck lint: seems to have false positives? |
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Can you provide the case where it's giving false positive?
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
This is the report:
Lint GitHub Actions workflow files.......................................Failed
- hook id: actionlint
- exit code: 1
.github/workflows/publish-docs.yml:113:9: shellcheck reported issue in this script: SC2016:info:7:43: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
|
113 | run: |
| ^~~~
.github/workflows/pr-comment.yaml:52:9: shellcheck reported issue in this script: SC2016:info:13:6: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
|
52 | run: |
| ^~~~
they might be fixable? Not sure. I don't think there's an actual bug on those lines anyway.
We could just put inline ignore comments on those lines? But that specific check didn't seem to actually flag any real issues in our shell scripts
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Oh right, I think the one in publish-docs
is a false positive because the pull_request_title
needs to be quoted as the title contains multiple words separated by whitespace:
$ gh pr list --state open --json title --jq ".[] | select(.title == ${pull_request_title}) | .number"
failed to parse jq expression (line 1, column 35)
.[] | select(.title == [red-knot] Statically known branches) | .number
^ unexpected token "Statically"
Let's ignore this for now as we know it's already working.
There was a problem hiding this comment.
Choose a reason for hiding this comment
The reason will be displayed to describe this comment to others. Learn more.
Looks good, I've some minor comments but otherwise should be good to go. Thanks for taking this on!
Thanks for the review! |
Summary
This PR adds actionlint as a pre-commit hook. actionlint is a tool that analyzes your GitHub Actions and verifies that you have correct syntax in your workflows.
One of actionlint's most useful features is a shellcheck integration. Shellcheck is a tool that checks for errors in shell scripts; actionlint's shellcheck integration extracts bash scripts from
run:
steps in GitHub Actions workflows and passes them to shellcheck. All the changes to workflow files in this PR are due to issues shellcheck identified via actionlint's shellcheck integration.The motivation behind this PR is that it would have caught the mistakes fixed in #14938 before they happened. I'd like to upgrade our zizmor pre-commit hook to the latest version (#15022), but doing so requires further changes to our GitHub workflows; I'm unwilling to do that until we have better linters for our GitHub workflows in CI.
Test Plan
uvx pre-commit run -a
passes locally, and I verified that it is correctly running the shellcheck integration due to theadditional_dependencies
in the pre-commit entry