taiki-e/install-action
1
0
Fork 0
mirror of https://github.com/taiki-e/install-action.git synced 2025-12-27 01:54:13 -05:00
Code Issues Packages Projects Releases Wiki Activity
Files
4666e0456051edf22fc0bae331c1df874bcaf291
install-action/tools/tidy.sh
Taiki Endo 4666e04560 tools: Update tidy.sh and related configs
2025-02-04 01:29:05 +09:00

1077 lines
43 KiB
Bash
Executable File
Raw Blame History

#!/usr/bin/env bash
# SPDX-License-Identifier: Apache-2.0 OR MIT
# shellcheck disable=SC2046
set -CeEuo pipefail
IFS=$'\n\t'
trap -- 's=$?; printf >&2 "%s\n" "${0##*/}:${LINENO}: \`${BASH_COMMAND}\` exit with ${s}"; exit ${s}' ERR
trap -- 'printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT
cd -- "$(dirname -- "$0")"/..
# USAGE:
# ./tools/tidy.sh
#
# Note: This script requires the following tools:
# - git
# - jq 1.6+
# - npm (node 18+)
# - python 3.6+
# - shfmt
# - shellcheck
# - cargo, rustfmt (if Rust code exists)
# - clang-format (if C/C++/Protobuf code exists)
# - parse-dockerfile <https://github.com/taiki-e/parse-dockerfile> (if Dockerfile exists)
#
# This script is shared with other repositories, so there may also be
# checks for files not included in this repository, but they will be
# skipped if the corresponding files do not exist.
retry() {
for i in {1..10}; do
if "$@"; then
return 0
else
sleep "${i}"
fi
done
"$@"
}
error() {
if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
printf '::error::%s\n' "$*"
else
printf >&2 'error: %s\n' "$*"
fi
should_fail=1
}
warn() {
if [[ -n "${GITHUB_ACTIONS:-}" ]]; then
printf '::warning::%s\n' "$*"
else
printf >&2 'warning: %s\n' "$*"
fi
}
info() {
printf >&2 'info: %s\n' "$*"
}
print_fenced() {
printf '=======================================\n'
printf '%s' "$*"
printf '=======================================\n\n'
}
check_diff() {
if [[ -n "${CI:-}" ]]; then
if ! git --no-pager diff --exit-code "$@"; then
should_fail=1
fi
else
if ! git --no-pager diff --exit-code "$@" &>/dev/null; then
should_fail=1
fi
fi
}
check_config() {
if [[ ! -e "$1" ]]; then
error "could not found $1 in the repository root${2:-}"
fi
}
check_install() {
for tool in "$@"; do
if ! type -P "${tool}" >/dev/null; then
if [[ "${tool}" == 'python3' ]]; then
if type -P python >/dev/null; then
continue
fi
fi
error "'${tool}' is required to run this check"
return 1
fi
done
}
check_unused() {
local kind="$1"
shift
local res
res=$(ls_files "$@")
if [[ -n "${res}" ]]; then
error "the following files are unused because there is no ${kind}; consider removing them"
print_fenced "${res}"$'\n'
fi
}
check_alt() {
local recommended=$1
local not_recommended=$2
if [[ -n "$3" ]]; then
error "please use ${recommended} instead of ${not_recommended} for consistency"
print_fenced "$3"$'\n'
fi
}
check_hidden() {
local res
for file in "$@"; do
check_alt ".${file}" "${file}" "$(comm -23 <(ls_files "*${file}") <(ls_files "*.${file}"))"
done
}
sed_rhs_escape() {
sed 's/\\/\\\\/g; s/\&/\\\&/g; s/\//\\\//g' <<<"$1"
}
venv_install_yq() {
if [[ ! -e "${venv_bin}/yq${exe}" ]]; then
if [[ ! -d .venv ]]; then
"python${py_suffix}" -m venv .venv >&2
fi
info "installing yq to .venv using pip${py_suffix}"
"${venv_bin}/pip${py_suffix}${exe}" install yq >&2
fi
}
if [[ $# -gt 0 ]]; then
cat <<EOF
USAGE:
$0
EOF
exit 1
fi
exe=''
py_suffix=''
if type -P python3 >/dev/null; then
py_suffix=3
fi
venv_bin=.venv/bin
yq() {
venv_install_yq
"${venv_bin}/yq${exe}" "$@"
}
tomlq() {
venv_install_yq
"${venv_bin}/tomlq${exe}" "$@"
}
case "$(uname -s)" in
Linux)
if [[ "$(uname -o)" == 'Android' ]]; then
ostype=android
else
ostype=linux
fi
;;
Darwin) ostype=macos ;;
FreeBSD) ostype=freebsd ;;
NetBSD) ostype=netbsd ;;
OpenBSD) ostype=openbsd ;;
DragonFly) ostype=dragonfly ;;
SunOS)
if [[ "$(/usr/bin/uname -o)" == 'illumos' ]]; then
ostype=illumos
else
ostype=solaris
# Solaris /usr/bin/* are not POSIX-compliant (e.g., grep has no -q, -E, -F),
# and POSIX-compliant commands are in /usr/xpg{4,6,7}/bin.
# https://docs.oracle.com/cd/E88353_01/html/E37853/xpg-7.html
if [[ "${PATH}" != *'/usr/xpg4/bin'* ]]; then
export PATH="/usr/xpg4/bin:${PATH}"
fi
# GNU/BSD grep/sed is required to run some checks, but most checks are okay with other POSIX grep/sed.
# Solaris /usr/xpg4/bin/grep has -q, -E, -F, but no -o (non-POSIX).
# Solaris /usr/xpg4/bin/sed has no -E (POSIX.1-2024) yet.
for tool in sed grep; do
if type -P "g${tool}" >/dev/null; then
eval "${tool}() { g${tool} \"\$@\"; }"
fi
done
fi
;;
MINGW* | MSYS* | CYGWIN* | Windows_NT)
ostype=windows
exe=.exe
venv_bin=.venv/Scripts
if type -P jq >/dev/null; then
# https://github.com/jqlang/jq/issues/1854
_tmp=$(jq -r .a <<<'{}')
if [[ "${_tmp}" != 'null' ]]; then
_tmp=$(jq -b -r .a 2>/dev/null <<<'{}' || true)
if [[ "${_tmp}" == 'null' ]]; then
jq() { command jq -b "$@"; }
else
jq() { command jq "$@" | tr -d '\r'; }
fi
yq() {
venv_install_yq
"${venv_bin}/yq${exe}" "$@" | tr -d '\r'
}
tomlq() {
venv_install_yq
"${venv_bin}/tomlq${exe}" "$@" | tr -d '\r'
}
fi
fi
;;
*) error "unrecognized os type '$(uname -s)' for \`\$(uname -s)\`" ;;
esac
check_install git
exclude_from_ls_files=()
# - `find` lists symlinks. `! ( -name <dir> -prune )` (.i.e., ignore <dir>) are manually listed from .gitignore.
# - `git submodule status` lists submodules. Use sed to remove the first character indicates status ( |+|-).
# - `git ls-files --deleted` lists removed files.
while IFS=$'\n' read -r line; do exclude_from_ls_files+=("${line}"); done < <({
find . \! \( -name .git -prune \) \! \( -name target -prune \) \! \( -name .venv -prune \) \! \( -name tmp -prune \) -type l | cut -c3-
git submodule status | sed 's/^.//' | cut -d' ' -f2
git ls-files --deleted
} | LC_ALL=C sort -u)
exclude_from_ls_files_no_symlink=()
while IFS=$'\n' read -r line; do exclude_from_ls_files_no_symlink+=("${line}"); done < <({
git submodule status | sed 's/^.//' | cut -d' ' -f2
git ls-files --deleted
} | LC_ALL=C sort -u)
ls_files() {
if [[ "${1:-}" == '--include-symlink' ]]; then
shift
comm -23 <(git ls-files "$@" | LC_ALL=C sort) <(printf '%s\n' ${exclude_from_ls_files_no_symlink[@]+"${exclude_from_ls_files_no_symlink[@]}"})
else
comm -23 <(git ls-files "$@" | LC_ALL=C sort) <(printf '%s\n' ${exclude_from_ls_files[@]+"${exclude_from_ls_files[@]}"})
fi
}
# Rust (if exists)
if [[ -n "$(ls_files '*.rs')" ]]; then
info "checking Rust code style"
check_config .rustfmt.toml "; consider adding with reference to https://github.com/taiki-e/cargo-hack/blob/HEAD/.rustfmt.toml"
check_config .clippy.toml "; consider adding with reference to https://github.com/taiki-e/cargo-hack/blob/HEAD/.clippy.toml"
if check_install cargo jq python3; then
# `cargo fmt` cannot recognize files not included in the current workspace and modules
# defined inside macros, so run rustfmt directly.
# We need to use nightly rustfmt because we use the unstable formatting options of rustfmt.
rustc_version=$(rustc -vV | grep -E '^release:' | cut -d' ' -f2)
if [[ "${rustc_version}" =~ nightly|dev ]] || ! type -P rustup >/dev/null; then
if type -P rustup >/dev/null; then
retry rustup component add rustfmt &>/dev/null
fi
info "running \`rustfmt \$(git ls-files '*.rs')\`"
rustfmt $(ls_files '*.rs')
else
if type -P rustup >/dev/null; then
retry rustup component add rustfmt --toolchain nightly &>/dev/null
fi
info "running \`rustfmt +nightly \$(git ls-files '*.rs')\`"
rustfmt +nightly $(ls_files '*.rs')
fi
check_diff $(ls_files '*.rs')
cast_without_turbofish=$(grep -Fn '.cast()' $(ls_files '*.rs') || true)
if [[ -n "${cast_without_turbofish}" ]]; then
error "please replace \`.cast()\` with \`.cast::<type_name>()\`:"
printf '%s\n' "${cast_without_turbofish}"
fi
# Make sure that public Rust crates don't contain executables and binaries.
executables=''
binaries=''
metadata=$(cargo metadata --format-version=1 --no-deps)
root_manifest=''
if [[ -f Cargo.toml ]]; then
root_manifest=$(cargo locate-project --message-format=plain --manifest-path Cargo.toml)
fi
exclude=''
has_public_crate=''
has_root_crate=''
for pkg in $(jq -c '. as $metadata | .workspace_members[] as $id | $metadata.packages[] | select(.id == $id)' <<<"${metadata}"); do
eval "$(jq -r '@sh "publish=\(.publish) manifest_path=\(.manifest_path)"' <<<"${pkg}")"
if [[ "$(tomlq -c '.lints' "${manifest_path}")" == 'null' ]]; then
error "no [lints] table in ${manifest_path} please add '[lints]' with 'workspace = true'"
fi
# Publishing is unrestricted if null, and forbidden if an empty array.
if [[ -z "${publish}" ]]; then
continue
fi
has_public_crate=1
if [[ "${manifest_path}" == "${root_manifest}" ]]; then
has_root_crate=1
exclude=$(tomlq -r '.package.exclude[]' "${manifest_path}")
if ! grep -Eq '^/\.\*$' <<<"${exclude}"; then
error "top-level Cargo.toml of non-virtual workspace should have 'exclude' field with \"/.*\""
fi
if [[ -e tools ]] && ! grep -Eq '^/tools$' <<<"${exclude}"; then
error "top-level Cargo.toml of non-virtual workspace should have 'exclude' field with \"/tools\" if it exists"
fi
if [[ -e target-specs ]] && ! grep -Eq '^/target-specs$' <<<"${exclude}"; then
error "top-level Cargo.toml of non-virtual workspace should have 'exclude' field with \"/target-specs\" if it exists"
fi
fi
done
if [[ -n "${has_public_crate}" ]]; then
check_config .deny.toml "; consider adding with reference to https://github.com/taiki-e/cargo-hack/blob/HEAD/.deny.toml"
info "checking public crates don't contain executables and binaries"
for p in $(ls_files --include-symlink); do
# Skip directories.
if [[ -d "${p}" ]]; then
continue
fi
# Top-level hidden files/directories and tools/* are excluded from crates.io (ensured by the above check).
# TODO: fully respect exclude field in Cargo.toml.
case "${p}" in
.* | tools/* | target-specs/*) continue ;;
*/*) ;;
*)
# If there is no crate at root, executables at the repository root directory if always okay.
if [[ -z "${has_root_crate}" ]]; then
continue
fi
;;
esac
if [[ -x "${p}" ]]; then
executables+="${p}"$'\n'
fi
# Use `diff` instead of `file` because `file` treats an empty file as a binary.
# https://unix.stackexchange.com/questions/275516/is-there-a-convenient-way-to-classify-files-as-binary-or-text#answer-402870
if { diff .gitattributes "${p}" || true; } | grep -Eq '^Binary file'; then
binaries+="${p}"$'\n'
fi
done
if [[ -n "${executables}" ]]; then
error "file-permissions-check failed: executables are only allowed to be present in directories that are excluded from crates.io"
print_fenced "${executables}"
fi
if [[ -n "${binaries}" ]]; then
error "file-permissions-check failed: binaries are only allowed to be present in directories that are excluded from crates.io"
print_fenced "${binaries}"
fi
fi
fi
# Sync markdown to rustdoc.
first=1
for markdown in $(ls_files '*.md'); do
markers=$(grep -En '^<!-- tidy:sync-markdown-to-rustdoc:(start[^ ]*|end) -->' "${markdown}" || true)
# BSD wc's -l emits spaces before number.
if [[ ! "$(LC_ALL=C wc -l <<<"${markers}")" =~ ^\ *2$ ]]; then
if [[ -n "${markers}" ]]; then
error "inconsistent '<!-- tidy:sync-markdown-to-rustdoc:* -->' marker found in ${markdown}"
printf '%s\n' "${markers}"
fi
continue
fi
start_marker=$(head -n1 <<<"${markers}")
end_marker=$(head -n2 <<<"${markers}" | tail -n1)
if [[ "${start_marker}" == *"tidy:sync-markdown-to-rustdoc:end"* ]] || [[ "${end_marker}" == *"tidy:sync-markdown-to-rustdoc:start"* ]]; then
error "inconsistent '<!-- tidy:sync-markdown-to-rustdoc:* -->' marker found in ${markdown}"
printf '%s\n' "${markers}"
continue
fi
if [[ -n "${first}" ]]; then
first=''
info "syncing markdown to rustdoc"
fi
lib="${start_marker#*:<\!-- tidy:sync-markdown-to-rustdoc:start:}"
if [[ "${start_marker}" == "${lib}" ]]; then
error "missing path in '<!-- tidy:sync-markdown-to-rustdoc:start:<path> -->' marker in ${markdown}"
printf '%s\n' "${markers}"
continue
fi
lib="${lib% -->}"
lib="$(dirname -- "${markdown}")/${lib}"
markers=$(grep -En '^<!-- tidy:sync-markdown-to-rustdoc:(start[^ ]*|end) -->' "${lib}" || true)
# BSD wc's -l emits spaces before number.
if [[ ! "$(LC_ALL=C wc -l <<<"${markers}")" =~ ^\ *2$ ]]; then
if [[ -n "${markers}" ]]; then
error "inconsistent '<!-- tidy:sync-markdown-to-rustdoc:* -->' marker found in ${lib}"
printf '%s\n' "${markers}"
else
error "missing '<!-- tidy:sync-markdown-to-rustdoc:* -->' marker in ${lib}"
fi
continue
fi
start_marker=$(head -n1 <<<"${markers}")
end_marker=$(head -n2 <<<"${markers}" | tail -n1)
if [[ "${start_marker}" == *"tidy:sync-markdown-to-rustdoc:end"* ]] || [[ "${end_marker}" == *"tidy:sync-markdown-to-rustdoc:start"* ]]; then
error "inconsistent '<!-- tidy:sync-markdown-to-rustdoc:* -->' marker found in ${lib}"
printf '%s\n' "${markers}"
continue
fi
new='<!-- tidy:sync-markdown-to-rustdoc:start -->'$'\a'
empty_line_re='^ *$'
gfm_alert_re='^> {0,4}\[!.*\] *$'
rust_code_block_re='^ *```(rust|rs) *$'
code_block_attr=''
in_alert=''
first_line=1
ignore=''
while IFS='' read -rd$'\a' line; do
if [[ -n "${ignore}" ]]; then
if [[ "${line}" == '<!-- tidy:sync-markdown-to-rustdoc:ignore:end -->'* ]]; then
ignore=''
fi
continue
fi
if [[ -n "${first_line}" ]]; then
# Ignore start marker.
first_line=''
continue
elif [[ -n "${in_alert}" ]]; then
if [[ "${line}" =~ ${empty_line_re} ]]; then
in_alert=''
new+=$'\a'"</div>"$'\a'
fi
elif [[ "${line}" =~ ${gfm_alert_re} ]]; then
alert="${line#*[\!}"
alert="${alert%%]*}"
alert=$(tr '[:lower:]' '[:upper:]' <<<"${alert%%]*}")
alert_lower=$(tr '[:upper:]' '[:lower:]' <<<"${alert}")
case "${alert}" in
NOTE | TIP | IMPORTANT) alert_sign='ⓘ' ;;
WARNING | CAUTION) alert_sign='⚠' ;;
*)
error "unknown alert type '${alert}' found; please use one of the types listed in <https://docs.github.com/en/get-started/writing-on-github/getting-started-with-writing-and-formatting-on-github/basic-writing-and-formatting-syntax#alerts>"
new+="${line}"$'\a'
continue
;;
esac
in_alert=1
new+="<div class=\"rustdoc-alert rustdoc-alert-${alert_lower}\">"$'\a\a'
new+="> **${alert_sign} ${alert:0:1}${alert_lower:1}**"$'\a>\a'
continue
fi
if [[ "${line}" =~ ${rust_code_block_re} ]]; then
code_block_attr="${code_block_attr#<\!-- tidy:sync-markdown-to-rustdoc:code-block:}"
code_block_attr="${code_block_attr%% -->*}"
new+="${line/\`\`\`*/\`\`\`}${code_block_attr}"$'\a'
code_block_attr=''
continue
fi
if [[ -n "${code_block_attr}" ]]; then
error "'${code_block_attr}' ignored because there is no subsequent Rust code block"
code_block_attr=''
fi
if [[ "${line}" == '<!-- tidy:sync-markdown-to-rustdoc:code-block:'*' -->'* ]]; then
code_block_attr="${line}"
continue
fi
if [[ "${line}" == '<!-- tidy:sync-markdown-to-rustdoc:ignore:start -->'* ]]; then
if [[ "${new}" == *$'\a\a' ]]; then
new="${new%$'\a'}"
fi
ignore=1
continue
fi
new+="${line}"$'\a'
done < <(tr '\n' '\a' <"${markdown}" | grep -Eo '<!-- tidy:sync-markdown-to-rustdoc:start[^ ]* -->.*<!-- tidy:sync-markdown-to-rustdoc:end -->')
new+='<!-- tidy:sync-markdown-to-rustdoc:end -->'
new=$(tr '\n' '\a' <"${lib}" | sed "s/<!-- tidy:sync-markdown-to-rustdoc:start[^ ]* -->.*<!-- tidy:sync-markdown-to-rustdoc:end -->/$(sed_rhs_escape "${new}")/" | tr '\a' '\n')
printf '%s\n' "${new}" >|"${lib}"
check_diff "${lib}"
done
printf '\n'
else
check_unused "Rust code" '*.cargo*' '*clippy.toml' '*deny.toml' '*rustfmt.toml' '*Cargo.toml' '*Cargo.lock'
fi
check_hidden clippy.toml deny.toml rustfmt.toml
# C/C++/Protobuf (if exists)
clang_format_ext=('*.c' '*.h' '*.cpp' '*.hpp' '*.proto')
if [[ -n "$(ls_files "${clang_format_ext[@]}")" ]]; then
info "checking C/C++/Protobuf code style"
check_config .clang-format
if check_install clang-format; then
IFS=' '
info "running \`clang-format -i \$(git ls-files ${clang_format_ext[*]})\`"
IFS=$'\n\t'
clang-format -i $(ls_files "${clang_format_ext[@]}")
check_diff $(ls_files "${clang_format_ext[@]}")
fi
printf '\n'
else
check_unused "C/C++/Protobuf code" '*.clang-format*'
fi
check_alt '.clang-format' '_clang-format' "$(ls_files '*_clang-format')"
# https://gcc.gnu.org/onlinedocs/gcc/Overall-Options.html
check_alt '.cpp extension' 'other extensions' "$(ls_files '*.cc' '*.cp' '*.cxx' '*.C' '*.CPP' '*.c++')"
check_alt '.hpp extension' 'other extensions' "$(ls_files '*.hh' '*.hp' '*.hxx' '*.H' '*.HPP' '*.h++')"
# YAML/HTML/CSS/JavaScript/JSON (if exists)
prettier_ext=('*.css' '*.html' '*.js' '*.json' '*.yml' '*.yaml')
if [[ -n "$(ls_files "${prettier_ext[@]}")" ]]; then
info "checking YAML/HTML/CSS/JavaScript/JSON code style"
check_config .editorconfig
if [[ "${ostype}" == 'solaris' ]] && [[ -n "${CI:-}" ]] && ! type -P npm >/dev/null; then
warn "this check is skipped on Solaris due to no node 18+ in upstream package manager"
elif check_install npm; then
IFS=' '
info "running \`npx -y prettier -l -w \$(git ls-files ${prettier_ext[*]})\`"
IFS=$'\n\t'
npx -y prettier -l -w $(ls_files "${prettier_ext[@]}")
check_diff $(ls_files "${prettier_ext[@]}")
fi
printf '\n'
else
check_unused "YAML/HTML/CSS/JavaScript/JSON file" '*.prettierignore'
fi
# https://prettier.io/docs/en/configuration
check_alt '.editorconfig' 'other configs' "$(ls_files '*.prettierrc*' '*prettier.config.*')"
check_alt '.yml extension' '.yaml extension' "$(ls_files '*.yaml' | { grep -Fv '.markdownlint-cli2.yaml' || true; })"
# TOML (if exists)
if [[ -n "$(ls_files '*.toml' | { grep -Fv '.taplo.toml' || true; })" ]]; then
info "checking TOML style"
check_config .taplo.toml
if [[ "${ostype}" == 'solaris' ]] && [[ -n "${CI:-}" ]] && ! type -P npm >/dev/null; then
warn "this check is skipped on Solaris due to no node 18+ in upstream package manager"
elif check_install npm; then
info "running \`npx -y @taplo/cli fmt \$(git ls-files '*.toml')\`"
RUST_LOG=warn npx -y @taplo/cli fmt $(ls_files '*.toml')
check_diff $(ls_files '*.toml')
fi
printf '\n'
else
check_unused "TOML file" '*taplo.toml'
fi
check_hidden taplo.toml
# Markdown (if exists)
if [[ -n "$(ls_files '*.md')" ]]; then
info "checking markdown style"
check_config .markdownlint-cli2.yaml
if [[ "${ostype}" == 'solaris' ]] && [[ -n "${CI:-}" ]] && ! type -P npm >/dev/null; then
warn "this check is skipped on Solaris due to no node 18+ in upstream package manager"
elif check_install npm; then
info "running \`npx -y markdownlint-cli2 \$(git ls-files '*.md')\`"
if ! npx -y markdownlint-cli2 $(ls_files '*.md'); then
error "check failed; please resolve the above markdownlint error(s)"
fi
fi
printf '\n'
else
check_unused "markdown file" '*.markdownlint-cli2.yaml'
fi
# https://github.com/DavidAnson/markdownlint-cli2#configuration
check_alt '.markdownlint-cli2.yaml' 'other configs' "$(ls_files '*.markdownlint-cli2.jsonc' '*.markdownlint-cli2.cjs' '*.markdownlint-cli2.mjs' '*.markdownlint.*')"
check_alt '.md extension' '*.markdown extension' "$(ls_files '*.markdown')"
# Shell scripts
info "checking shell scripts"
shell_files=()
docker_files=()
bash_files=()
grep_ere_files=()
sed_ere_files=()
for p in $(ls_files '*.sh' '*Dockerfile*'); do
case "${p}" in
tests/fixtures/* | */tests/fixtures/* | *.json) continue ;;
esac
case "${p##*/}" in
*.sh)
shell_files+=("${p}")
re='^#!/.*bash'
if [[ "$(head -1 "${p}")" =~ ${re} ]]; then
bash_files+=("${p}")
fi
;;
*Dockerfile*)
docker_files+=("${p}")
bash_files+=("${p}") # TODO
;;
esac
if grep -Eq '(^|[^0-9A-Za-z\."'\''-])(grep) -[A-Za-z]*E[^\)]' "${p}"; then
grep_ere_files+=("${p}")
fi
if grep -Eq '(^|[^0-9A-Za-z\."'\''-])(sed) -[A-Za-z]*E[^\)]' "${p}"; then
sed_ere_files+=("${p}")
fi
done
workflows=()
actions=()
if [[ -d .github/workflows ]]; then
for p in .github/workflows/*.yml; do
workflows+=("${p}")
bash_files+=("${p}") # TODO
done
fi
if [[ -n "$(ls_files '*action.yml')" ]]; then
for p in $(ls_files '*action.yml'); do
if [[ "${p##*/}" == 'action.yml' ]]; then
actions+=("${p}")
if ! grep -Fq 'shell: sh' "${p}"; then
bash_files+=("${p}")
fi
fi
done
fi
# correctness
res=$({ grep -En '(\[\[ .* ]]|(^|[^\$])\(\(.*\)\))( +#| *$)' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "bare [[ ]] and (( )) may not work as intended: see https://github.com/koalaman/shellcheck/issues/2360 for more"
print_fenced "${res}"$'\n'
fi
# TODO: chmod|chown
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(basename|cat|cd|cp|dirname|ln|ls|mkdir|mv|pushd|rm|rmdir|tee|touch)( +-[0-9A-Za-z]+)* +[^<>\|-]' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "use \`--\` before path(s): see https://github.com/koalaman/shellcheck/issues/2707 / https://github.com/koalaman/shellcheck/issues/2612 / https://github.com/koalaman/shellcheck/issues/2305 / https://github.com/koalaman/shellcheck/issues/2157 / https://github.com/koalaman/shellcheck/issues/2121 / https://github.com/koalaman/shellcheck/issues/314 for more"
print_fenced "${res}"$'\n'
fi
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(LINES|RANDOM|PWD)=' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "do not modify these built-in bash variables: see https://github.com/koalaman/shellcheck/issues/2160 / https://github.com/koalaman/shellcheck/issues/2559 for more"
print_fenced "${res}"$'\n'
fi
# perf
res=$({ grep -En '(^|[^\\])\$\((cat) ' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "use faster \`\$(<file)\` instead of \$(cat -- file): see https://github.com/koalaman/shellcheck/issues/2493 for more"
print_fenced "${res}"$'\n'
fi
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(command +-[vV]) ' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "use faster \`type -P\` instead of \`command -v\`: see https://github.com/koalaman/shellcheck/issues/1162 for more"
print_fenced "${res}"$'\n'
fi
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(type) +-P +[^ ]+ +&>' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "\`type -P\` doesn't output to stderr; use \`>\` instead of \`&>\`"
print_fenced "${res}"$'\n'
fi
# TODO: multi-line case
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(echo|printf )[^;)]* \|[^\|]' "${bash_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "use faster \`<<<...\` instead of \`echo ... |\`/\`printf ... |\`: see https://github.com/koalaman/shellcheck/issues/2593 for more"
print_fenced "${res}"$'\n'
fi
# style
if [[ ${#grep_ere_files[@]} -gt 0 ]]; then
# We intentionally do not check for occurrences in any other order (e.g., -iE, -i -E) here.
# This enforces the style and makes it easier to search.
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(grep) +([^-]|-[^EFP-]|--[^hv])' "${grep_ere_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "please always use ERE (grep -E) instead of BRE for code consistency within a file"
print_fenced "${res}"$'\n'
fi
fi
if [[ ${#sed_ere_files[@]} -gt 0 ]]; then
res=$({ grep -En '(^|[^0-9A-Za-z\."'\''-])(sed) +([^-]|-[^E-]|--[^hv])' "${sed_ere_files[@]}" || true; } | { grep -Ev '^[^ ]+: *(#|//)' || true; } | LC_ALL=C sort)
if [[ -n "${res}" ]]; then
error "please always use ERE (sed -E) instead of BRE for code consistency within a file"
print_fenced "${res}"$'\n'
fi
fi
if check_install shfmt; then
check_config .editorconfig
info "running \`shfmt -w \$(git ls-files '*.sh')\`"
if ! shfmt -w "${shell_files[@]}"; then
error "check failed; please resolve the shfmt error(s)"
fi
check_diff "${shell_files[@]}"
fi
if [[ "${ostype}" == 'solaris' ]] && [[ -n "${CI:-}" ]] && ! type -P shellcheck >/dev/null; then
warn "this check is skipped on Solaris due to no haskell/shellcheck in upstream package manager"
elif check_install shellcheck; then
check_config .shellcheckrc
info "running \`shellcheck \$(git ls-files '*.sh')\`"
if ! shellcheck "${shell_files[@]}"; then
error "check failed; please resolve the above shellcheck error(s)"
fi
# Check scripts in dockerfile.
if [[ ${#docker_files[@]} -gt 0 ]]; then
# Exclude SC2096 due to the way the temporary script is created.
shellcheck_exclude=SC2096
info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in \$(git ls-files '*Dockerfile*')\`"
if [[ "${ostype}" == 'windows' ]]; then
# No such file or directory: '/proc/N/fd/N'
warn "this check is skipped on Windows due to upstream bug (failed to found fd created by <())"
elif [[ "${ostype}" == 'dragonfly' ]]; then
warn "this check is skipped on DragonFly BSD due to upstream bug (hang)"
elif check_install jq python3 parse-dockerfile; then
shellcheck_for_dockerfile() {
local text=$1
local shell=$2
local display_path=$3
if [[ "${text}" == 'null' ]]; then
return
fi
text="#!${shell}"$'\n'"${text}"
case "${ostype}" in
windows) text=${text//\r/} ;;
esac
local color=auto
if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
color=always
fi
if ! shellcheck --color="${color}" --exclude "${shellcheck_exclude}" <(printf '%s\n' "${text}") | sed "s/\/dev\/fd\/[0-9][0-9]*/$(sed_rhs_escape "${display_path}")/g"; then
error "check failed; please resolve the above shellcheck error(s)"
fi
}
for dockerfile_path in ${docker_files[@]+"${docker_files[@]}"}; do
dockerfile=$(parse-dockerfile "${dockerfile_path}")
normal_shell=''
for instruction in $(jq -c '.instructions[]' <<<"${dockerfile}"); do
instruction_kind=$(jq -r '.kind' <<<"${instruction}")
case "${instruction_kind}" in
FROM)
# https://docs.docker.com/reference/dockerfile/#from
# > Each FROM instruction clears any state created by previous instructions.
normal_shell=''
continue
;;
ADD | ARG | CMD | COPY | ENTRYPOINT | ENV | EXPOSE | HEALTHCHECK | LABEL) ;;
# https://docs.docker.com/reference/build-checks/maintainer-deprecated/
MAINTAINER) error "MAINTAINER instruction is deprecated in favor of using label" ;;
RUN) ;;
SHELL)
normal_shell=''
for argument in $(jq -c '.arguments[]' <<<"${instruction}"); do
value=$(jq -r '.value' <<<"${argument}")
if [[ -z "${normal_shell}" ]]; then
case "${value}" in
cmd | cmd.exe | powershell | powershell.exe)
# not unix shell
normal_shell="${value}"
break
;;
esac
else
normal_shell+=' '
fi
normal_shell+="${value}"
done
;;
STOPSIGNAL | USER | VOLUME | WORKDIR) ;;
*) error "unknown instruction ${instruction_kind}" ;;
esac
arguments=''
# only shell-form RUN/ENTRYPOINT/CMD is run in a shell
case "${instruction_kind}" in
RUN)
if [[ "$(jq -r '.arguments.shell' <<<"${instruction}")" == 'null' ]]; then
continue
fi
arguments=$(jq -r '.arguments.shell.value' <<<"${instruction}")
if [[ -z "${arguments}" ]]; then
if [[ "$(jq -r '.here_docs[0]' <<<"${instruction}")" == 'null' ]]; then
error "empty RUN is useless (${dockerfile_path})"
continue
fi
if [[ "$(jq -r '.here_docs[1]' <<<"${instruction}")" != 'null' ]]; then
# TODO:
error "multi here-docs without command is not yet supported (${dockerfile_path})"
fi
arguments=$(jq -r '.here_docs[0].value' <<<"${instruction}")
if [[ "${arguments}" == '#!'* ]]; then
# TODO:
error "here-docs with shebang is not yet supported (${dockerfile_path})"
continue
fi
else
if [[ "$(jq -r '.here_docs[0]' <<<"${instruction}")" != 'null' ]]; then
# TODO:
error "sh/bash command with here-docs is not yet checked (${dockerfile_path})"
fi
fi
;;
ENTRYPOINT | CMD)
if [[ "$(jq -r '.arguments.shell' <<<"${instruction}")" == 'null' ]]; then
continue
fi
arguments=$(jq -r '.arguments.shell.value' <<<"${instruction}")
if [[ -z "${normal_shell}" ]] && [[ -n "${arguments}" ]]; then
# https://docs.docker.com/reference/build-checks/json-args-recommended/
error "JSON arguments recommended for ENTRYPOINT/CMD to prevent unintended behavior related to OS signals"
fi
;;
HEALTHCHECK)
if [[ "$(jq -r '.arguments.kind' <<<"${instruction}")" != "CMD" ]]; then
continue
fi
if [[ "$(jq -r '.arguments.arguments.shell' <<<"${instruction}")" == 'null' ]]; then
continue
fi
arguments=$(jq -r '.arguments.arguments.shell.value' <<<"${instruction}")
;;
*) continue ;;
esac
case "${normal_shell}" in
# not unix shell
cmd | cmd.exe | powershell | powershell.exe) continue ;;
# https://docs.docker.com/reference/dockerfile/#shell
'') shell='/bin/sh -c' ;;
*) shell="${normal_shell}" ;;
esac
shellcheck_for_dockerfile "${arguments}" "${shell}" "${dockerfile_path}"
done
done
fi
fi
# Check scripts in YAML.
if [[ ${#workflows[@]} -gt 0 ]] || [[ ${#actions[@]} -gt 0 ]]; then
# Exclude SC2096 due to the way the temporary script is created.
shellcheck_exclude=SC2086,SC2096,SC2129
info "running \`shellcheck --exclude ${shellcheck_exclude}\` for scripts in .github/workflows/*.yml and **/action.yml"
if [[ "${ostype}" == 'windows' ]]; then
# No such file or directory: '/proc/N/fd/N'
warn "this check is skipped on Windows due to upstream bug (failed to found fd created by <())"
elif [[ "${ostype}" == 'dragonfly' ]]; then
warn "this check is skipped on DragonFly BSD due to upstream bug (hang)"
elif check_install jq python3; then
shellcheck_for_gha() {
local text=$1
local shell=$2
local display_path=$3
if [[ "${text}" == 'null' ]]; then
return
fi
case "${shell}" in
bash* | sh*) ;;
*) return ;;
esac
# Use python because sed doesn't support .*?.
text=$(
"python${py_suffix}" - <(printf '%s\n%s' "#!/usr/bin/env ${shell%' {0}'}" "${text}") <<EOF
import re
import sys
with open(sys.argv[1], 'r') as f:
text = f.read()
text = re.sub(r"\\\${{.*?}}", "\${__GHA_SYNTAX__}", text)
print(text)
EOF
)
case "${ostype}" in
windows) text=${text//\r/} ;;
esac
local color=auto
if [[ -t 1 ]] || [[ -n "${GITHUB_ACTIONS:-}" ]]; then
color=always
fi
if ! shellcheck --color="${color}" --exclude "${shellcheck_exclude}" <(printf '%s\n' "${text}") | sed "s/\/dev\/fd\/[0-9][0-9]*/$(sed_rhs_escape "${display_path}")/g"; then
error "check failed; please resolve the above shellcheck error(s)"
fi
}
for workflow_path in ${workflows[@]+"${workflows[@]}"}; do
workflow=$(yq -c '.' "${workflow_path}")
# The top-level permissions must be weak as they are referenced by all jobs.
permissions=$(jq -c '.permissions' <<<"${workflow}")
case "${permissions}" in
'{"contents":"read"}' | '{"contents":"none"}') ;;
null) error "${workflow_path}: top level permissions not found; it must be 'contents: read' or weaker permissions" ;;
*) error "${workflow_path}: only 'contents: read' and weaker permissions are allowed at top level, but found '${permissions}'; if you want to use stronger permissions, please set job-level permissions" ;;
esac
default_shell=$(jq -r -c '.defaults.run.shell' <<<"${workflow}")
# github's default is https://docs.github.com/en/actions/using-workflows/workflow-syntax-for-github-actions#defaultsrunshell
re='^bash --noprofile --norc -CeEux?o pipefail \{0}$'
if [[ ! "${default_shell}" =~ ${re} ]]; then
error "${workflow_path}: defaults.run.shell should be 'bash --noprofile --norc -CeEuxo pipefail {0}' or 'bash --noprofile --norc -CeEuo pipefail {0}'"
continue
fi
# .steps == null means the job is the caller of reusable workflow
for job in $(jq -c '.jobs | to_entries[] | select(.value.steps)' <<<"${workflow}"); do
name=$(jq -r '.key' <<<"${job}")
job=$(jq -r '.value' <<<"${job}")
n=0
job_default_shell=$(jq -r '.defaults.run.shell' <<<"${job}")
if [[ "${job_default_shell}" == 'null' ]]; then
job_default_shell="${default_shell}"
fi
for step in $(jq -c '.steps[]' <<<"${job}"); do
prepare=''
eval "$(jq -r 'if .run then @sh "RUN=\(.run) shell=\(.shell)" else @sh "RUN=\(.with.run) prepare=\(.with.prepare) shell=\(.with.shell)" end' <<<"${step}")"
if [[ "${RUN}" == 'null' ]]; then
_=$((n++))
continue
fi
if [[ "${shell}" == 'null' ]]; then
if [[ -z "${prepare}" ]]; then
shell="${job_default_shell}"
elif grep -Eq '^ *chsh +-s +[^ ]+/bash' <<<"${prepare}"; then
shell='bash'
else
shell='sh'
fi
fi
shellcheck_for_gha "${RUN}" "${shell}" "${workflow_path} ${name}.steps[${n}].run"
shellcheck_for_gha "${prepare:-null}" 'sh' "${workflow_path} ${name}.steps[${n}].run"
_=$((n++))
done
done
done
for action_path in ${actions[@]+"${actions[@]}"}; do
runs=$(yq -c '.runs' "${action_path}")
if [[ "$(jq -r '.using' <<<"${runs}")" != "composite" ]]; then
continue
fi
n=0
for step in $(jq -c '.steps[]' <<<"${runs}"); do
prepare=''
eval "$(jq -r 'if .run then @sh "RUN=\(.run) shell=\(.shell)" else @sh "RUN=\(.with.run) prepare=\(.with.prepare) shell=\(.with.shell)" end' <<<"${step}")"
if [[ "${RUN}" == 'null' ]]; then
_=$((n++))
continue
fi
if [[ "${shell}" == 'null' ]]; then
if [[ -z "${prepare}" ]]; then
error "\`shell: ..\` is required"
continue
elif grep -Eq '^ *chsh +-s +[^ ]+/bash' <<<"${prepare}"; then
shell='bash'
else
shell='sh'
fi
fi
shellcheck_for_gha "${RUN}" "${shell}" "${action_path} steps[${n}].run"
shellcheck_for_gha "${prepare:-null}" 'sh' "${action_path} steps[${n}].run"
_=$((n++))
done
done
fi
fi
fi
printf '\n'
check_alt '.sh extension' '*.bash extension' "$(ls_files '*.bash')"
# License check
# TODO: This check is still experimental and does not track all files that should be tracked.
if [[ -f tools/.tidy-check-license-headers ]]; then
info "checking license headers (experimental)"
failed_files=''
for p in $(comm -12 <(eval $(<tools/.tidy-check-license-headers) | LC_ALL=C sort) <(ls_files | LC_ALL=C sort)); do
case "${p##*/}" in
*.stderr | *.expanded.rs) continue ;; # generated files
*.json) continue ;; # no comment support
*.sh | *.py | *.rb | *Dockerfile*) prefix=('# ') ;;
*.rs | *.c | *.h | *.cpp | *.hpp | *.s | *.S | *.js) prefix=('// ' '/* ') ;;
*.ld | *.x) prefix=('/* ') ;;
# TODO: More file types?
*) continue ;;
esac
# TODO: The exact line number is not actually important; it is important
# that it be part of the top-level comments of the file.
line=1
if IFS= LC_ALL=C read -rd '' -n3 shebang <"${p}" && [[ "${shebang}" == '#!/' ]]; then
line=2
elif [[ "${p}" == *'Dockerfile'* ]] && IFS= LC_ALL=C read -rd '' -n9 syntax <"${p}" && [[ "${syntax}" == '# syntax=' ]]; then
line=2
fi
header_found=''
for pre in "${prefix[@]}"; do
# TODO: check that the license is valid as SPDX and is allowed in this project.
if [[ "$(grep -Fn "${pre}SPDX-License-Identifier: " "${p}")" == "${line}:${pre}SPDX-License-Identifier: "* ]]; then
header_found=1
break
fi
done
if [[ -z "${header_found}" ]]; then
failed_files+="${p}:${line}"$'\n'
fi
done
if [[ -n "${failed_files}" ]]; then
error "license-check failed: please add SPDX-License-Identifier to the following files"
print_fenced "${failed_files}"
else
printf '\n'
fi
fi
# Spell check (if config exists)
if [[ -f .cspell.json ]]; then
info "spell checking"
project_dictionary=.github/.cspell/project-dictionary.txt
if [[ "${ostype}" == 'solaris' ]] && [[ -n "${CI:-}" ]] && ! type -P npm >/dev/null; then
warn "this check is skipped on Solaris due to no node 18+ in upstream package manager"
elif [[ "${ostype}" == 'illumos' ]]; then
warn "this check is skipped on illumos due to upstream bug (dictionaries are not loaded correctly)"
elif check_install npm jq python3; then
has_rust=''
if [[ -n "$(ls_files '*Cargo.toml')" ]]; then
has_rust=1
dependencies=''
for manifest_path in $(ls_files '*Cargo.toml'); do
if [[ "${manifest_path}" != "Cargo.toml" ]] && [[ "$(tomlq -c '.workspace' "${manifest_path}")" == 'null' ]]; then
continue
fi
m=$(cargo metadata --format-version=1 --no-deps --manifest-path "${manifest_path}" || true)
if [[ -z "${m}" ]]; then
continue # Ignore broken manifest
fi
dependencies+="$(jq -r '. as $metadata | .workspace_members[] as $id | $metadata.packages[] | select(.id == $id) | .dependencies[].name' <<<"${m}")"$'\n'
done
dependencies=$(LC_ALL=C sort -f -u <<<"${dependencies//[0-9_-]/$'\n'}")
fi
config_old=$(<.cspell.json)
config_new=$({ grep -Ev '^ *//' <<<"${config_old}" || true; } | jq 'del(.dictionaries[] | select(index("organization-dictionary") | not)) | del(.dictionaryDefinitions[] | select(.name == "organization-dictionary" | not))')
trap -- 'printf "%s\n" "${config_old}" >|.cspell.json; printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT
printf '%s\n' "${config_new}" >|.cspell.json
dependencies_words=''
if [[ -n "${has_rust}" ]]; then
dependencies_words=$(npx -y cspell stdin --no-progress --no-summary --words-only --unique <<<"${dependencies}" || true)
fi
all_words=$(ls_files | { grep -Fv "${project_dictionary}" || true; } | npx -y cspell --file-list stdin --no-progress --no-summary --words-only --unique || true)
printf '%s\n' "${config_old}" >|.cspell.json
trap -- 'printf >&2 "%s\n" "${0##*/}: trapped SIGINT"; exit 1' SIGINT
cat >|.github/.cspell/rust-dependencies.txt <<EOF
// This file is @generated by ${0##*/}.
// It is not intended for manual editing.
EOF
if [[ -n "${dependencies_words}" ]]; then
LC_ALL=C sort -f >>.github/.cspell/rust-dependencies.txt <<<"${dependencies_words}"$'\n'
fi
if [[ -z "${CI:-}" ]]; then
REMOVE_UNUSED_WORDS=1
fi
if [[ -z "${REMOVE_UNUSED_WORDS:-}" ]]; then
check_diff .github/.cspell/rust-dependencies.txt
fi
if ! grep -Fq '.github/.cspell/rust-dependencies.txt linguist-generated' .gitattributes; then
error "you may want to mark .github/.cspell/rust-dependencies.txt linguist-generated"
fi
info "running \`git ls-files | npx -y cspell --file-list stdin --no-progress --no-summary\`"
if ! ls_files | npx -y cspell --file-list stdin --no-progress --no-summary; then
error "spellcheck failed: please fix uses of below words or add to ${project_dictionary} if correct"
printf '=======================================\n'
{ ls_files | npx -y cspell --file-list stdin --no-progress --no-summary --words-only || true; } | sed "s/'s$//g" | LC_ALL=C sort -f -u
printf '=======================================\n\n'
fi
# Make sure the project-specific dictionary does not contain duplicated words.
for dictionary in .github/.cspell/*.txt; do
if [[ "${dictionary}" == "${project_dictionary}" ]]; then
continue
fi
case "${ostype}" in
# NetBSD uniq doesn't support -i flag.
netbsd) dup=$(sed '/^$/d; /^\/\//d' "${project_dictionary}" "${dictionary}" | LC_ALL=C sort -f | tr '[:upper:]' '[:lower:]' | LC_ALL=C uniq -d) ;;
*) dup=$(sed '/^$/d; /^\/\//d' "${project_dictionary}" "${dictionary}" | LC_ALL=C sort -f | LC_ALL=C uniq -d -i) ;;
esac
if [[ -n "${dup}" ]]; then
error "duplicated words in dictionaries; please remove the following words from ${project_dictionary}"
print_fenced "${dup}"$'\n'
fi
done
# Make sure the project-specific dictionary does not contain unused words.
if [[ -n "${REMOVE_UNUSED_WORDS:-}" ]]; then
grep_args=()
for word in $(grep -Ev '^//' "${project_dictionary}" || true); do
if ! grep -Eqi "^${word}$" <<<"${all_words}"; then
grep_args+=(-e "^${word}$")
fi
done
if [[ ${#grep_args[@]} -gt 0 ]]; then
info "removing unused words from ${project_dictionary}"
res=$(grep -Ev "${grep_args[@]}" "${project_dictionary}" || true)
if [[ -n "${res}" ]]; then
printf '%s\n' "${res}" >|"${project_dictionary}"
else
printf '' >|"${project_dictionary}"
fi
fi
else
unused=''
for word in $(grep -Ev '^//' "${project_dictionary}" || true); do
if ! grep -Eqi "^${word}$" <<<"${all_words}"; then
unused+="${word}"$'\n'
fi
done
if [[ -n "${unused}" ]]; then
error "unused words in dictionaries; please remove the following words from ${project_dictionary} or run ${0##*/} locally"
print_fenced "${unused}"
fi
fi
fi
printf '\n'
fi
if [[ -n "${should_fail:-}" ]]; then
exit 1
fi
Reference in New Issue View Git Blame Copy Permalink