Skip to content

Add ShellCheck GitHub Actions workflow#745

Merged
openshift-merge-bot[bot] merged 2 commits into
openshift-kni:mainfrom
sebrandon1:add-shellcheck-gha
Jun 26, 2026
Merged

Add ShellCheck GitHub Actions workflow#745
openshift-merge-bot[bot] merged 2 commits into
openshift-kni:mainfrom
sebrandon1:add-shellcheck-gha

Conversation

@sebrandon1

@sebrandon1 sebrandon1 commented May 6, 2026

Copy link
Copy Markdown
Contributor

Summary

  • Add a make test-shellcheck target and hack/test-shellcheck.sh wrapper script following the same pattern as make test-kustomize / hack/test-kustomize.sh
  • Add a GitHub Actions workflow that calls make test-shellcheck when PRs touch shell scripts or the Makefile
  • Add shellcheck to the make check-deps dependency verification
  • Fix 2 existing ShellCheck errors (SC2145: $@ in echo strings changed to $*) in extra-manifests-builder test scripts
  • Runs at severity=error to catch real bugs without blocking on style warnings

The repo has 32 shell scripts across hack/, extra-manifests-builder/, compare utilities, and configuration scripts. Users can now validate scripts locally with make test-shellcheck before pushing.

@openshift-ci openshift-ci Bot requested review from ffromani and lack May 6, 2026 18:00
@coderabbitai

coderabbitai Bot commented May 6, 2026

Copy link
Copy Markdown

Review Change Stack

Warning

Review limit reached

@sebrandon1, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 59 minutes and 59 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan review availability.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, additional reviews become available more gradually as earlier reviews age out of the rolling window.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 7ea45b05-d69b-44ec-9193-9277b7ffb17f

📥 Commits

Reviewing files that changed from the base of the PR and between 7a56340 and 8cb71c8.

📒 Files selected for processing (5)
  • .github/workflows/shellcheck.yml
  • Makefile
  • hack/test-shellcheck.sh
  • telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/test.sh
  • telco-ran/configuration/extra-manifests-builder/08-set-rcu-normal/test.sh
📝 Walkthrough

Walkthrough

A ShellCheck linting pipeline is added: a new hack/test-shellcheck.sh runner script discovers and lints all shell scripts with directory exclusions, a test-shellcheck Makefile target invokes it, check-deps gains a shellcheck presence check, and a GitHub Actions workflow runs the target on PRs. Two existing test.sh scripts are fixed to pass the linter by changing $@ to $* in their fatal() helpers.

Changes

ShellCheck Linting Infrastructure

Layer / File(s) Summary
ShellCheck runner script, Makefile targets, and CI workflow
hack/test-shellcheck.sh, Makefile, .github/workflows/shellcheck.yml
hack/test-shellcheck.sh discovers all *.sh files (excluding .git/, venv/, .venv/, sdk-go/), runs shellcheck --severity=error on each, and exits 1 on any failure. The Makefile adds a shellcheck presence check in check-deps and a test-shellcheck phony target. The GitHub Actions workflow triggers on PRs touching **/*.sh or Makefile and runs make test-shellcheck on ubuntu-latest.
Fix fatal() argument expansion in existing test scripts
telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/test.sh, telco-ran/configuration/extra-manifests-builder/08-set-rcu-normal/test.sh
The fatal() helper in both scripts is updated from "$@" to "$*" so multiple arguments are concatenated in the FATAL: output and the scripts pass ShellCheck.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5
✅ Passed checks (5 passed)
Check name Status Explanation
Title check ✅ Passed The title clearly reflects the main addition of a ShellCheck GitHub Actions workflow.
Description check ✅ Passed The description accurately summarizes the ShellCheck workflow, Makefile target, dependency check, and script fixes.
Docstring Coverage ✅ Passed Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check ✅ Passed Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check ✅ Passed Check skipped because no linked issues were found for this pull request.

✏️ Tip: You can configure your own custom pre-merge checks in the settings.

✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands.

@sebrandon1 sebrandon1 force-pushed the add-shellcheck-gha branch 4 times, most recently from f5df3f0 to 4e64b0c Compare May 6, 2026 18:16
@sebrandon1 sebrandon1 force-pushed the add-shellcheck-gha branch from 4e64b0c to bfc0c78 Compare June 22, 2026 16:42
@irinamihai

Copy link
Copy Markdown
Contributor

It looks like there is no way for users to run the shellcheck locally, before pushing their changes.
I think the model under the kustomization validation workflow should be followed where there's a makefile target for the shellcheck and the workflow calls it. WDYT?

Also, shellcheck should be a verified dependency under the check-deps target if it's gonna be available to run locally.

@sebrandon1

Copy link
Copy Markdown
Contributor Author

Ah yes good call I will update it to match the same flow as the kustomization workflow.

@sebrandon1 sebrandon1 force-pushed the add-shellcheck-gha branch from bfc0c78 to 49f17fd Compare June 22, 2026 22:34

@coderabbitai coderabbitai Bot left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents
Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/shellcheck.yml:
- Around line 20-21: The actions/checkout action is not pinned to a specific
commit SHA, creating a supply-chain risk. Replace the version tag reference
(currently `@v4`) in the uses field with a pinned commit SHA. Additionally,
explicitly disable credential persistence by adding a with section to the
checkout action with persist-credentials: false. This change should be applied
to all instances of the actions/checkout action across the workflow files
(shellcheck.yml, kustomize-validation.yml, and doc-updater.yml).
🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

  • Push a commit to this branch (recommended)
  • Create a new PR with the fixes

ℹ️ Review info
⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 83072a75-c21c-4a99-b1f7-322a35576cd9

📥 Commits

Reviewing files that changed from the base of the PR and between 8b0e015 and 49f17fd.

📒 Files selected for processing (5)
  • .github/workflows/shellcheck.yml
  • Makefile
  • hack/test-shellcheck.sh
  • telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/test.sh
  • telco-ran/configuration/extra-manifests-builder/08-set-rcu-normal/test.sh

Comment thread .github/workflows/shellcheck.yml Outdated
@sebrandon1 sebrandon1 force-pushed the add-shellcheck-gha branch from 49f17fd to 3bed570 Compare June 22, 2026 22:46
- Add hack/test-shellcheck.sh wrapper script following the same pattern
  as hack/test-kustomize.sh for local developer use
- Add test-shellcheck Makefile target that invokes the wrapper script
- Add shellcheck to check-deps dependency verification
- GHA workflow delegates to make test-shellcheck instead of inline commands
- Fix SC2145 shellcheck errors in extra-manifests-builder test scripts
Pin actions/checkout to v7.0.0 SHA (9c091bb) to mitigate supply-chain
risk from mutable tags. Add persist-credentials: false since the
workflow only needs read access for shellcheck validation.
@sebrandon1 sebrandon1 force-pushed the add-shellcheck-gha branch from 7a56340 to 8cb71c8 Compare June 25, 2026 16:17
@irinamihai

Copy link
Copy Markdown
Contributor

/lgtm
/approve

@openshift-ci openshift-ci Bot added the lgtm Indicates that a PR is ready to be merged. label Jun 26, 2026
@openshift-ci

openshift-ci Bot commented Jun 26, 2026

Copy link
Copy Markdown

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: irinamihai, sebrandon1

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details Needs approval from an approver in each of these files:

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

@openshift-ci openshift-ci Bot added the approved Indicates a PR has been approved by an approver from all required OWNERS files. label Jun 26, 2026
@openshift-merge-bot openshift-merge-bot Bot merged commit c4b78b6 into openshift-kni:main Jun 26, 2026
5 checks passed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

approved Indicates a PR has been approved by an approver from all required OWNERS files. lgtm Indicates that a PR is ready to be merged.

Projects

None yet

Development

Successfully merging this pull request may close these issues.

3 participants