Add actionlint as a pre-commit hook (with shellcheck integration)
#15021
Conversation
AlexWaygood
force-pushed
the
alex/add-actionlint
branch
from
ff6b181 to
ad00186
Compare
|
|
|
||
| # shellcheck disable=SC2046 | ||
| docker buildx imagetools create \ | ||
| "${annotations[@]}" \ | ||
| $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ |
There was a problem hiding this comment.
This might actually be ok to quote but it's ok for now to disable this as we might need to test this a bit to verify.
But, the other one is probably correct to ignore because it contains glob * character.
| @@ -46,6 +46,7 @@ jobs: | |||
| run: cargo build --locked | |||
| - name: Fuzz | |||
| run: | | |||
| # shellcheck disable=SC2046 | |||
There was a problem hiding this comment.
It might be ok to quote this:
"$(shuf ...)"Although I don't really have a linux machine to test. I'd be fine to ignore this.
There was a problem hiding this comment.
I checked it on my Mac, and the command copied-and-pasted into my shell works as it currently is on main, but adding the quoting breaks it. It's possible it might be different on Linux, but it's also just quite nice to use commands in our GitHub workflows that I can test locally
There was a problem hiding this comment.
I see, let's keep it disabled then. Thanks for testing it.
| exclude: .github/workflows/release.yml | ||
| args: | ||
| - "-ignore=SC2129" # ignorable stylistic lint from shellcheck | ||
| - "-ignore=SC2016" # another shellcheck lint: seems to have false positives? |
There was a problem hiding this comment.
Can you provide the case where it's giving false positive?
There was a problem hiding this comment.
This is the report:
Lint GitHub Actions workflow files.......................................Failed
- hook id: actionlint
- exit code: 1
.github/workflows/publish-docs.yml:113:9: shellcheck reported issue in this script: SC2016:info:7:43: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
|
113 | run: |
| ^~~~
.github/workflows/pr-comment.yaml:52:9: shellcheck reported issue in this script: SC2016:info:13:6: Expressions don't expand in single quotes, use double quotes for that [shellcheck]
|
52 | run: |
| ^~~~
they might be fixable? Not sure. I don't think there's an actual bug on those lines anyway.
We could just put inline ignore comments on those lines? But that specific check didn't seem to actually flag any real issues in our shell scripts
There was a problem hiding this comment.
Oh right, I think the one in publish-docs is a false positive because the pull_request_title needs to be quoted as the title contains multiple words separated by whitespace:
$ gh pr list --state open --json title --jq ".[] | select(.title == ${pull_request_title}) | .number"
failed to parse jq expression (line 1, column 35)
.[] | select(.title == [red-knot] Statically known branches) | .number
^ unexpected token "Statically"Let's ignore this for now as we know it's already working.
|
Thanks for the review! |
Summary
This PR adds actionlint as a pre-commit hook. actionlint is a tool that analyzes your GitHub Actions and verifies that you have correct syntax in your workflows.
One of actionlint's most useful features is a shellcheck integration. Shellcheck is a tool that checks for errors in shell scripts; actionlint's shellcheck integration extracts bash scripts from
run:steps in GitHub Actions workflows and passes them to shellcheck. All the changes to workflow files in this PR are due to issues shellcheck identified via actionlint's shellcheck integration.The motivation behind this PR is that it would have caught the mistakes fixed in #14938 before they happened. I'd like to upgrade our zizmor pre-commit hook to the latest version (#15022), but doing so requires further changes to our GitHub workflows; I'm unwilling to do that until we have better linters for our GitHub workflows in CI.
Test Plan
uvx pre-commit run -apasses locally, and I verified that it is correctly running the shellcheck integration due to theadditional_dependenciesin the pre-commit entry