Add pre-commit hooks and CI lint job

bschwedler · bschwedler · commit 875daee3311c · 2026-04-16T15:02:38.000-05:00
Adds .pre-commit-config.yaml with standard hooks (check-json, check-yaml, check-executables-have-shebangs, check-shebang-scripts-are- executable, end-of-file-fixer, trailing-whitespace, pretty-format-json, shellcheck, etc.) and an inline `lint` job in production.yml gated by the `ci` meta-job's `needs:`. Lint job uses SHA-pinned actions (checkout@v6.0.2, setup-python@v5.6.0, pre-commit/action@v3.0.1) with `permissions: contents: read` and `persist-credentials: false`. Hook versions updated via pre-commit autoupdate. Template and rendered-file changes to make pre-commit pass: - Mark shell-script Jinja2 templates (*.sh.jinja2) executable so rendered scripts inherit the exec bit via bakery's template-mode propagation (posit-dev/images-shared#469) - Mark justfile executable + add a `setup` recipe to install hooks - Add `# shellcheck disable=SC2045`, `# shellcheck disable=SC2046`, and quoted variables across startup.sh.jinja2 and install_workbench.sh.jinja2 - Strip leading whitespace from `{% for %}`/`{% endfor %}`/`{% raw %}` blocks in goss.yaml template so rendered output doesn't regress into trailing whitespace on re-render - Drop `.jinja2` suffix from vscode-user-settings.json.jinja2 (no Jinja2 syntax; matches positron-user-settings.json convention); reformat to 2-space indent with alphabetized keys so pretty-format-json passes - Exclude *.sh.jinja2 from check-executables-have-shebangs (templates compose shebangs from Jinja2 macros) - Exclude .claude/settings.json from pretty-format-json README: add `pre-commit` bullet to the Prerequisites list pointing contributors at `just setup`. Various trailing-newline and trailing-whitespace fixes across rendered and non-rendered files surfaced by the new hooks.
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -10,4 +10,3 @@ updates:
       actions:
         patterns:
           - "*"
-
diff --git a/.github/workflows/development.yml b/.github/workflows/development.yml
@@ -76,4 +76,4 @@ jobs:
       dev-versions: "only"
       remove-dangling-caches: true
       remove-caches-older-than: 14
-      clean-temporary-images: false
+      clean-temporary-images: false
diff --git a/.github/workflows/production.yml b/.github/workflows/production.yml
@@ -30,6 +30,7 @@ jobs:
     runs-on: ubuntu-latest
     timeout-minutes: 10
     needs:
+      - lint
       - build
 
     steps:
@@ -44,6 +45,23 @@ jobs:
           result: ${{ steps.alls-green.outcome }}
           slack-webhook-url: ${{ secrets.SLACK_WEBHOOK_URL }}
 
+  lint:
+    name: Lint
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    permissions:
+      contents: read
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd  # v6.0.2
+        with:
+          persist-credentials: false
+      - uses: actions/setup-python@a26af69be951a213d495a4c3e4e4022e16d87065  # v5.6.0
+        with:
+          python-version: "3.x"
+      - uses: pre-commit/action@2c7b3805fd2a0fd8c1884dcaebf91fc102a13ecd  # v3.0.1
+        env:
+          SKIP: no-commit-to-branch
+
   build:
     name: Build
     # Build all images, excluding dev versions.
@@ -79,4 +97,4 @@ jobs:
     with:
       remove-dangling-caches: true
       remove-caches-older-than: 14
-      clean-temporary-images: false
+      clean-temporary-images: false
diff --git a/.gitignore b/.gitignore
@@ -168,4 +168,3 @@ cython_debug/
 #  and can be added to the global gitignore or merged into this file.  For a more nuclear
 #  option (not recommended) you can uncomment the following to ignore the entire idea folder.
 #.idea/
-
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,30 @@
+# See https://pre-commit.com for more information
+# See https://pre-commit.com/hooks.html for more hooks
+repos:
+-   repo: https://github.com/pre-commit/pre-commit-hooks
+    rev: v6.0.0
+    hooks:
+    -   id: check-added-large-files
+    -   id: check-case-conflict
+    -   id: check-executables-have-shebangs
+        exclude: "^.*\\.sh\\.jinja2$"
+    -   id: check-json
+    -   id: check-shebang-scripts-are-executable
+    -   id: check-yaml
+        exclude: "^.*goss.yaml$"
+    -   id: detect-aws-credentials
+        args: [--allow-missing-credentials]
+    -   id: detect-private-key
+    -   id: end-of-file-fixer
+    -   id: fix-byte-order-marker
+    -   id: mixed-line-ending
+    -   id: no-commit-to-branch
+        args: [--branch, main]
+    -   id: pretty-format-json
+        exclude: "^\\.claude/settings\\.json$"
+    -   id: trailing-whitespace
+-   repo: https://github.com/koalaman/shellcheck-precommit
+    rev: v0.11.0
+    hooks:
+    -   id: shellcheck
+        args: ["-s", "bash"]
diff --git a/CODE_OF_CONDUCT.md b/CODE_OF_CONDUCT.md
@@ -131,4 +131,3 @@ For answers to common questions about this code of conduct, see the FAQ at
 [Mozilla CoC]: https://github.com/mozilla/diversity
 [FAQ]: https://www.contributor-covenant.org/faq
 [translations]: https://www.contributor-covenant.org/translations
-
diff --git a/README.md b/README.md
@@ -152,6 +152,12 @@ Build prerequisites
     just install-goss
     ```
 
+* [`pre-commit`](https://pre-commit.com/) hooks (for contributors)
+
+    ```shell
+    just setup
+    ```
+
 ### Build with `bakery`
 
 By default, bakery creates an ephemeral JSON [bakefile](https://docs.bakefile.org/en/latest/language.html) to render all containers in parallel.
diff --git a/justfile b/justfile
@@ -1,5 +1,9 @@
 #!/usr/bin/env just --justfile
 
+setup:
+  pre-commit --version || (echo "pre-commit not found, install with: uv tool install pre-commit" && exit 1)
+  pre-commit install --install-hooks
+
 install-bakery *OPTS:
   #!/bin/bash
   # TODO: Update this after package is published somewhere
diff --git a/workbench/2025.09/conf/positron/positron-user-settings.json b/workbench/2025.09/conf/positron/positron-user-settings.json
@@ -1,6 +1,6 @@
 {
-  "terminal.integrated.defaultProfile.linux": "bash",
-  "extensions.autoUpdate": false,
   "extensions.autoCheckUpdates": false,
-  "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto"
+  "extensions.autoUpdate": false,
+  "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto",
+  "terminal.integrated.defaultProfile.linux": "bash"
 }
diff --git a/workbench/2025.09/conf/vscode/vscode-user-settings.json b/workbench/2025.09/conf/vscode/vscode-user-settings.json
@@ -1,5 +1,5 @@
 {
-      "terminal.integrated.shell.linux": "bash",
-      "extensions.autoUpdate": false,
-      "extensions.autoCheckUpdates": false
+  "extensions.autoCheckUpdates": false,
+  "extensions.autoUpdate": false,
+  "terminal.integrated.shell.linux": "bash"
 }
diff --git a/workbench/2025.09/deps/ubuntu-22.04_packages.txt b/workbench/2025.09/deps/ubuntu-22.04_packages.txt
@@ -9,4 +9,4 @@ lsb-release
 psmisc
 rrdtool
 sudo
-supervisor
+supervisor
diff --git a/workbench/2025.09/deps/ubuntu-24.04_packages.txt b/workbench/2025.09/deps/ubuntu-24.04_packages.txt
@@ -9,4 +9,4 @@ lsb-release
 psmisc
 rrdtool
 sudo
-supervisor
+supervisor
diff --git a/workbench/2025.09/scripts/install_workbench.sh b/workbench/2025.09/scripts/install_workbench.sh
@@ -14,7 +14,8 @@ apt-get download "${package_name}=2025.09.2+418.pro4"
 deb_file="$(pwd)/$(ls ${package_name}*.deb)"
 
 # Install dependencies
-apt-get install -yq $(dpkg -I $deb_file | grep '^ Depends:' | sed 's/^ Depends: //' | tr ',' '\n' | awk '{print $1}' | tr -d '(')
+# shellcheck disable=SC2046
+apt-get install -yq $(dpkg -I "$deb_file" | grep '^ Depends:' | sed 's/^ Depends: //' | tr ',' '\n' | awk '{print $1}' | tr -d '(')
 
 # Patch the installer to not activate the service
 echo "$d Patching ${deb_file} $d"
diff --git a/workbench/2025.09/scripts/startup.sh b/workbench/2025.09/scripts/startup.sh
@@ -17,8 +17,9 @@ deactivate() {
       /usr/lib/rstudio-server/bin/license-manager deactivate >/dev/null 2>&1
       is_deactivated=1
       ((retries+=1))
+      # shellcheck disable=SC2045
       for file in $(ls -A /var/lib/.local); do
-        if [ -s /var/lib/.local/$file ]; then
+        if [ -s "/var/lib/.local/$file" ]; then
           if [[ $retries -lt 3 ]]; then
             echo "License did not deactivate, retry ${retries}..."
             is_deactivated=0
@@ -39,9 +40,9 @@ PWB_TESTUSER_PASSWD=${PWB_TESTUSER_PASSWD:-${RSW_TESTUSER_PASSWD}}
 
 verify_installation(){
    echo "==VERIFY INSTALLATION==";
-   mkdir -p $DIAGNOSTIC_DIR
-   chmod 777 $DIAGNOSTIC_DIR
-   rstudio-server verify-installation --verify-user=$PWB_TESTUSER | tee $DIAGNOSTIC_DIR/verify.log
+   mkdir -p "$DIAGNOSTIC_DIR"
+   chmod 777 "$DIAGNOSTIC_DIR"
+   rstudio-server verify-installation --verify-user="$PWB_TESTUSER" | tee "$DIAGNOSTIC_DIR/verify.log"
 }
 
 # Backward compatibility for RSW_ and RSP_ prefixes
@@ -52,11 +53,11 @@ PWB_LICENSE_FILE_PATH=${PWB_LICENSE_FILE_PATH:-${RSW_LICENSE_FILE_PATH}}
 # Activate License
 PWB_LICENSE_FILE_PATH=${PWB_LICENSE_FILE_PATH:-/etc/rstudio-server/license.lic}
 if [ -n "$PWB_LICENSE" ]; then
-    /usr/lib/rstudio-server/bin/license-manager activate $PWB_LICENSE
+    /usr/lib/rstudio-server/bin/license-manager activate "$PWB_LICENSE"
 elif [ -n "$PWB_LICENSE_SERVER" ]; then
-    /usr/lib/rstudio-server/bin/license-manager license-server $PWB_LICENSE_SERVER
+    /usr/lib/rstudio-server/bin/license-manager license-server "$PWB_LICENSE_SERVER"
 elif test -f "$PWB_LICENSE_FILE_PATH"; then
-    /usr/lib/rstudio-server/bin/license-manager activate-file $PWB_LICENSE_FILE_PATH
+    /usr/lib/rstudio-server/bin/license-manager activate-file "$PWB_LICENSE_FILE_PATH"
 fi
 
 # ensure these cannot be inherited by child processes
@@ -68,7 +69,7 @@ unset RSW_LICENSE
 unset RSW_LICENSE_SERVER
 
 # Create one user
-if [ $(getent passwd $PWB_TESTUSER_UID) ] ; then
+if [ "$(getent passwd "$PWB_TESTUSER_UID")" ] ; then
     echo "UID $PWB_TESTUSER_UID already exists, not creating $PWB_TESTUSER test user";
 else
     if [ -z "$PWB_TESTUSER" ]; then
@@ -77,7 +78,7 @@ else
         if [ -z "$PWB_TESTUSER_UID" ]; then
             PWB_TESTUSER_UID=10000
         fi
-        useradd -m -s /bin/bash -u $PWB_TESTUSER_UID -U $PWB_TESTUSER
+        useradd -m -s /bin/bash -u "$PWB_TESTUSER_UID" -U "$PWB_TESTUSER"
         echo "$PWB_TESTUSER:$PWB_TESTUSER_PASSWD" | sudo chpasswd
     fi
 fi
@@ -89,14 +90,14 @@ PWB_LAUNCHER_TIMEOUT=${PWB_LAUNCHER_TIMEOUT:-${RSW_LAUNCHER_TIMEOUT}}
 # Start Launcher
 if [ "$PWB_LAUNCHER" == "true" ]; then
   echo "Waiting for launcher to startup... to disable set PWB_LAUNCHER=false"
-  wait-for-it.sh localhost:5559 -t $PWB_LAUNCHER_TIMEOUT
+  wait-for-it.sh localhost:5559 -t "$PWB_LAUNCHER_TIMEOUT"
 fi
 
 # Check diagnostic configurations
 if [ "$DIAGNOSTIC_ENABLE" == "true" ]; then
   verify_installation
   if [ "$DIAGNOSTIC_ONLY" == "true" ]; then
-    echo $(<$DIAGNOSTIC_DIR/verify.log);
+    echo "$(<"$DIAGNOSTIC_DIR"/verify.log)";
     echo "Exiting script because DIAGNOSTIC_ONLY=${DIAGNOSTIC_ONLY}";
     exit 0
   fi;
diff --git a/workbench/2025.09/test/goss.yaml b/workbench/2025.09/test/goss.yaml
@@ -14,11 +14,11 @@ group:
 package:
   rstudio-server:
     installed: true
-  
+
   r-4.5.1:
     installed: true
     skip: {{ if eq .Env.IMAGE_VARIANT "Minimal" }}true{{ else }}false{{ end }}
-  
+
   {{ $apt_package_list_path := printf "/tmp/version/deps/%s-%s_packages.txt" .Env.IMAGE_OS_NAME .Env.IMAGE_OS_VERSION }}
   {{ $apt_package_list := readFile $apt_package_list_path | splitList "\n" }}
   {{- range $apt_package_list }}
@@ -115,16 +115,16 @@ file:
     exists: true
     filetype: symlink
   # Check for R installation
-  
+
   /opt/R/4.5.1/bin/R:
     exists: {{ if eq .Env.IMAGE_VARIANT "Standard" }}true{{ else }}false{{ end }}
     filetype: file
-  
+
   # Check for Python installation
-  
+
   /opt/python/3.13.7/bin/python:
     exists: {{ if eq .Env.IMAGE_VARIANT "Standard" }}true{{ else }}false{{ end }}
-  
+
   /opt/python/jupyter/bin/python:
     exists: {{ if eq .Env.IMAGE_VARIANT "Standard" }}true{{ else }}false{{ end }}
   /opt/python/jupyter/bin/jupyter:
@@ -141,7 +141,7 @@ file:
 
   # Check that startup files were not accidentally included in build
   # These can only be reliably checked for minimal variant for now, see #372
-  
+
   {{ if eq .Env.IMAGE_VARIANT "Minimal" }}
   /etc/rstudio/launcher.pem:
     exists: false
@@ -158,7 +158,7 @@ file:
   /var/lib/rstudio-server/rstudio.sqlite:
     exists: false
   {{ end }}
-  
+
 
 command:
   "Ensure rstudio-server has permissions to log directory":
@@ -183,14 +183,14 @@ command:
     stdout:
       - "R version 4.5.1"
     skip: {{ if eq .Env.IMAGE_VARIANT "Minimal" }}true{{ else }}false{{ end }}
-  
+
   "Verify Python installation is version 3.13.7":
     exec: /opt/python/3.13.7/bin/python --version
     exit-status: 0
     stdout:
       - "3.13.7"
     skip: {{ if eq .Env.IMAGE_VARIANT "Minimal" }}true{{ else }}false{{ end }}
-  
+
   "Verify Jupyter installation Python version":
     exec: /opt/python/jupyter/bin/python --version
     exit-status: 0
diff --git a/workbench/2026.01/conf/positron/positron-user-settings.json b/workbench/2026.01/conf/positron/positron-user-settings.json
@@ -1,6 +1,6 @@
 {
-  "terminal.integrated.defaultProfile.linux": "bash",
-  "extensions.autoUpdate": false,
   "extensions.autoCheckUpdates": false,
-  "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto"
+  "extensions.autoUpdate": false,
+  "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto",
+  "terminal.integrated.defaultProfile.linux": "bash"
 }
diff --git a/workbench/2026.01/conf/vscode/vscode-user-settings.json b/workbench/2026.01/conf/vscode/vscode-user-settings.json
@@ -1,5 +1,5 @@
 {
-      "terminal.integrated.shell.linux": "bash",
-      "extensions.autoUpdate": false,
-      "extensions.autoCheckUpdates": false
+  "extensions.autoCheckUpdates": false,
+  "extensions.autoUpdate": false,
+  "terminal.integrated.shell.linux": "bash"
 }
diff --git a/workbench/2026.01/deps/ubuntu-22.04_packages.txt b/workbench/2026.01/deps/ubuntu-22.04_packages.txt
@@ -9,4 +9,4 @@ lsb-release
 psmisc
 rrdtool
 sudo
-supervisor
+supervisor
diff --git a/workbench/2026.01/deps/ubuntu-24.04_packages.txt b/workbench/2026.01/deps/ubuntu-24.04_packages.txt
@@ -9,4 +9,4 @@ lsb-release
 psmisc
 rrdtool
 sudo
-supervisor
+supervisor
diff --git a/workbench/2026.01/scripts/install_workbench.sh b/workbench/2026.01/scripts/install_workbench.sh
@@ -14,7 +14,8 @@ apt-get download "${package_name}=2026.01.2+418.pro1"
 deb_file="$(pwd)/$(ls ${package_name}*.deb)"
 
 # Install dependencies
-apt-get install -yq $(dpkg -I $deb_file | grep '^ Depends:' | sed 's/^ Depends: //' | tr ',' '\n' | awk '{print $1}' | tr -d '(')
+# shellcheck disable=SC2046
+apt-get install -yq $(dpkg -I "$deb_file" | grep '^ Depends:' | sed 's/^ Depends: //' | tr ',' '\n' | awk '{print $1}' | tr -d '(')
 
 # Patch the installer to not activate the service
 echo "$d Patching ${deb_file} $d"
diff --git a/workbench/2026.01/scripts/startup.sh b/workbench/2026.01/scripts/startup.sh
diff --git a/workbench/2026.01/test/goss.yaml b/workbench/2026.01/test/goss.yaml
diff --git a/workbench/template/conf/positron/positron-user-settings.json b/workbench/template/conf/positron/positron-user-settings.json
diff --git a/workbench/template/conf/vscode/vscode-user-settings.json b/workbench/template/conf/vscode/vscode-user-settings.json
diff --git a/workbench/template/conf/vscode/vscode-user-settings.json.jinja2 b/workbench/template/conf/vscode/vscode-user-settings.json.jinja2
diff --git a/workbench/template/deps/ubuntu-22.04_packages.txt.jinja2 b/workbench/template/deps/ubuntu-22.04_packages.txt.jinja2
diff --git a/workbench/template/deps/ubuntu-24.04_packages.txt.jinja2 b/workbench/template/deps/ubuntu-24.04_packages.txt.jinja2
diff --git a/workbench/template/scripts/install_workbench.sh.jinja2 b/workbench/template/scripts/install_workbench.sh.jinja2
diff --git a/workbench/template/scripts/startup.sh.jinja2 b/workbench/template/scripts/startup.sh.jinja2
diff --git a/workbench/template/test/goss.yaml.jinja2 b/workbench/template/test/goss.yaml.jinja2

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`{`
`2`		`- "terminal.integrated.defaultProfile.linux": "bash",`
`3`		`- "extensions.autoUpdate": false,`
`4`	`2`	`"extensions.autoCheckUpdates": false,`
`5`		`- "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto"`
	`3`	`+ "extensions.autoUpdate": false,`
	`4`	`+ "quarto.path": "/usr/lib/rstudio-server/bin/quarto/bin/quarto",`
	`5`	`+ "terminal.integrated.defaultProfile.linux": "bash"`
`6`	`6`	`}`
Original file line number	Diff line number	Diff line change
`@@ -1,5 +1,5 @@`
`1`	`1`	`{`
`2`		`- "terminal.integrated.shell.linux": "bash",`
`3`		`- "extensions.autoUpdate": false,`
`4`		`- "extensions.autoCheckUpdates": false`
	`2`	`+ "extensions.autoCheckUpdates": false,`
	`3`	`+ "extensions.autoUpdate": false,`
	`4`	`+ "terminal.integrated.shell.linux": "bash"`
`5`	`5`	`}`