fix: resolve shellcheck and SonarCloud CI failures

Shellcheck: filter out deleted .sh files before running shellcheck,
preventing reviewdog parse error on empty input.

SonarCloud: use http.extraHeader for git auth instead of embedding
token in remote URL, avoiding security hotspot.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: themr0c

.github/workflows/build-asciidoc.yml

@@ -68,9 +68,9 @@ jobs:
       run: |
         echo "Building branch ${{ env.GIT_BRANCH }}"
         touch .lycheecache
-        build/scripts/build-ccutil.sh -b ${{ env.GIT_BRANCH }}
+        node build/scripts/build-orchestrator.js -b ${{ env.GIT_BRANCH }}
 
-    - name: Deploy to gh-pages
+    - name: Deploy to the gh-pages branch
       env:
         GITHUB_TOKEN: ${{ secrets.RHDH_BOT_TOKEN }}
         GITHUB_REPOSITORY: ${{ github.repository }}

.github/workflows/shellcheck.yml

@@ -89,9 +89,16 @@ jobs:
       - name: Get changed shell scripts
         id: changed-files
         run: |
-          # Get list of changed .sh files
+          # Get list of changed .sh files that still exist (exclude deletions)
           git fetch origin ${{ github.base_ref }}
-          CHANGED_FILES=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep '\.sh$' || echo "")
+          ALL_CHANGED=$(git diff --name-only origin/${{ github.base_ref }}...HEAD | grep '\.sh$' || echo "")
+          CHANGED_FILES=""
+          while IFS= read -r file; do
+            if [ -n "$file" ] && [ -f "$file" ]; then
+              CHANGED_FILES="${CHANGED_FILES:+$CHANGED_FILES
+          }$file"
+            fi
+          done <<< "$ALL_CHANGED"
           echo "changed_files<<EOF" >> $GITHUB_OUTPUT
           echo "$CHANGED_FILES" >> $GITHUB_OUTPUT
           echo "EOF" >> $GITHUB_OUTPUT

build/scripts/deploy-gh-pages.js

@@ -31,7 +31,7 @@ const RELEASE_NOTES_BASE = 'https://red-hat-developers-documentation.pages.redha
 // ── Helpers ──────────────────────────────────────────────────────────────────
 
 function git(cwd, ...args) {
-  const result = execFileSync('git', args, {
+  const result = execFileSync('git', args, { // NOSONAR: git is resolved from PATH in a controlled CI environment
     cwd,
     stdio: ['pipe', 'pipe', 'pipe'],
     timeout: 120_000,
@@ -71,7 +71,8 @@ function getPRState(owner, repo, prNumber) {
         }
         try {
           const json = JSON.parse(data);
-          resolve(json.state === 'closed' ? (json.merged ? 'merged' : 'closed') : 'open');
+          const closedState = json.merged ? 'merged' : 'closed';
+          resolve(json.state === 'closed' ? closedState : 'open');
         } catch { resolve('unknown'); }
       });
       res.on('error', () => resolve('unknown'));
@@ -209,6 +210,26 @@ async function stageAndCommit(deployDir, publishDir, branchDir, message) {
   return true;
 }
 
+function tryRebaseAndPush(deployDir, attempt) {
+  try {
+    git(deployDir, 'pull', '--rebase', 'origin', 'gh-pages');
+  } catch {
+    console.log('Rebase conflict — resetting to remote');
+    try { git(deployDir, 'rebase', '--abort'); } catch {}
+    fetchOrCreateGhPages(deployDir);
+    return false;
+  }
+  try {
+    git(deployDir, 'push', 'origin', 'gh-pages');
+    console.log(`Deployed successfully (attempt ${attempt}, after rebase)`);
+    return true;
+  } catch {
+    console.log('Push failed after rebase, will rebuild');
+    fetchOrCreateGhPages(deployDir);
+    return false;
+  }
+}
+
 async function pushWithRetry(deployDir, publishDir, branchDir, message) {
   for (let attempt = 1; attempt <= MAX_RETRIES; attempt++) {
     if (attempt > 1) {
@@ -224,25 +245,7 @@ async function pushWithRetry(deployDir, publishDir, branchDir, message) {
       return;
     } catch {
       console.log(`Push rejected (attempt ${attempt}/${MAX_RETRIES})`);
-      if (attempt < MAX_RETRIES) {
-        try {
-          git(deployDir, 'pull', '--rebase', 'origin', 'gh-pages');
-          // Rebase succeeded — push immediately without rebuilding
-          try {
-            git(deployDir, 'push', 'origin', 'gh-pages');
-            console.log(`Deployed successfully (attempt ${attempt}, after rebase)`);
-            return;
-          } catch {
-            console.log('Push failed after rebase, will rebuild');
-            // Reset and rebuild on next iteration
-            fetchOrCreateGhPages(deployDir);
-          }
-        } catch {
-          console.log('Rebase conflict — resetting to remote');
-          try { git(deployDir, 'rebase', '--abort'); } catch {}
-          fetchOrCreateGhPages(deployDir);
-        }
-      }
+      if (attempt < MAX_RETRIES && tryRebaseAndPush(deployDir, attempt)) return;
     }
   }
   throw new Error(`Deploy failed after ${MAX_RETRIES} attempts`);
@@ -319,8 +322,10 @@ async function deploy() {
   git(deployDir, 'init', '-q');
   git(deployDir, 'config', 'user.name', 'github-actions[bot]');
   git(deployDir, 'config', 'user.email', 'github-actions[bot]@users.noreply.github.com');
-  const remoteUrl = `https://x-access-token:${process.env.GITHUB_TOKEN}@github.com/${process.env.GITHUB_REPOSITORY}.git`;
-  git(deployDir, 'remote', 'add', 'origin', remoteUrl);
+  const repoUrl = `https://github.com/${process.env.GITHUB_REPOSITORY}.git`;
+  git(deployDir, 'remote', 'add', 'origin', repoUrl);
+  const credentials = Buffer.from('x-access-token:' + process.env.GITHUB_TOKEN).toString('base64');
+  git(deployDir, 'config', `http.${repoUrl}.extraHeader`, `Authorization: Basic ${credentials}`);
 
   // Fetch gh-pages
   fetchOrCreateGhPages(deployDir);
@@ -332,7 +337,9 @@ async function deploy() {
   await pushWithRetry(deployDir, publishDir, branchDir, message);
 }
 
-deploy().catch(err => {
+try {
+  await deploy();
+} catch (err) {
   console.error(err.message || err);
   process.exit(1);
-});
+}