Merge pull request #8 from shubham-stepsecurity/sm/feat/base-lc #5
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
| name: ShellCheck | |
| on: | |
| push: | |
| branches: [main] | |
| paths: | |
| - '*.sh' | |
| pull_request: | |
| branches: [main] | |
| paths: | |
| - '*.sh' | |
| permissions: {} | |
| jobs: | |
| shellcheck: | |
| permissions: | |
| contents: read # for actions/checkout to fetch code | |
| name: ShellCheck | |
| runs-on: ubuntu-latest | |
| steps: | |
| - name: Harden the runner (Audit all outbound calls) | |
| uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0 | |
| with: | |
| egress-policy: audit | |
| - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1 | |
| - name: Run ShellCheck | |
| uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0 | |
| env: | |
| # SC2155: "Declare and assign separately" - suppressed because the script | |
| # uses `local var=$(...)` extensively for readability. The exit codes from | |
| # these assignments are intentionally not checked (failures are handled | |
| # by downstream empty-string checks instead). | |
| # SC2034: "Variable appears unused" - suppressed because detection arrays | |
| # and config variables are read via IFS splitting and indirect expansion, | |
| # which ShellCheck cannot trace. | |
| SHELLCHECK_OPTS: '--exclude=SC2155,SC2034' | |
| with: | |
| scandir: '.' | |
| severity: warning |