Enable Differential ShellCheck #2530
Conversation
|
This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation. |
|
I can squash them If you prefer. |
@jamacku Have you had a chance to test this ? I run a brief test and at first run this will open about 300 code scanning issues based on the existing issues we have. Is this what is expected ? What do you recommend after this happens ? Just leave the existing issues alone and focus on avoiding adding more issues ? Can you perhaps point to a project where we can see this in action ? |
You are right. There are 285 ShellCheck reports in the Security Dashboard. This is expected. It's for your awareness. You can review them and decide how to deal with them. The security dashboard allows you to set notes to each report and dismiss them.
I usually leave the existing issues open and focus on not adding more. But the choice is yours. The security dashboard is "private" to members of the organization, so you won't see the results of other projects that use differential shellcheck unless you are a member. Reports on PR can see anyone. For example, the systemd project is keeping shell scripts free from ShellCheck defects - https://github.com/systemd/systemd/blob/main/.github/workflows/differential-shellcheck.yml We also use it on our RHEL8 and RHEL9 dracut distribution git: It's beneficial to have differential ShellCheck scans because you can start linting your code base without dealing with current reports first (that saves time, allows you to check new incoming changes, and avoids potential regressions caused by fixing false positives). |
|
LGTM. |
|
@jamacku It seems the "Dracut Release Bot" pushed an extra commit to this PR. Can you help reverting the 4th commit on this PR ? Thanks ! |
It performs differential ShellCheck scans and reports results directly on GitHub. documentation: https://github.com/redhat-plumbers-in-action/differential-shellcheck Signed-off-by: Jan Macku <[email protected]>
The `sh_checker_comment: true` requires special permissions (`pull-requests: write`).
This permission level could be achieved only on PR from the `dracut` repository. When PR is opened from the fork, it automatically drops to `read` only.
error message:
```
Commenting on the pull request
{
"message": "Resource not accessible by integration",
"documentation_url": "https://docs.github.com/rest/issues/comments#create-an-issue-comment"
}
```
ShellCheck linting is performed by `differential-shellcheck`.
|
This issue is being marked as stale because it has not had any recent activity. It will be closed if no further activity occurs. If this is still an issue in the latest release of Dracut and you would like to keep it open please comment on this issue within the next 7 days. Thank you for your contributions. |
Differential ShellCheck is a GitHub action that performs differential ShellCheck scans on shell scripts changed via PR and reports results directly in PR.
It is able to produce reports in SARIF format. GitHub understands this format and is able to display it nicely as a PR comment, and on the
Files Changedtab, please see below.Checklist
This will resolve your issues with cleaning your codebase every time the new ShellCheck comes out: #2501
Differential ShellCheck only reports defects directly related to the PR/commit. So you can focus on defects caused by your changes and deal with the existing defects later.