Extracts and checks shell scripts in Github Workflows for potential issues using shellcheck (https://github.com/koalaman/shellcheck).
Project description
shellcheck-gha
This Python script extracts shell scripts from GitHub workflows
(jobs.<job_id>.steps[*].run
) and runs them against ShellCheck.
Installation
Requirements:
- Python ≥ 3.11
- ShellCheck ≥ 0.9.0, available on
apt
,brew
,cabal
,dnf
, andpkg
.
PyPI (prefered)
The project is hosted on PyPI at https://pypi.org/project/shellcheck-gha/. To install the project, run:
$ pip install shellcheck-gha
From Source
Alternatively, the project can be cloned and installed using poetry.
$ git clone https://github.com/saleor/shellcheck-gha
$ pip install poetry
$ poetry install
$ shellcheck-gha --help
Usage
$ shellcheck-gha --help
usage: shellcheck-gha [-h] [--default-shell DEFAULT_SHELL] [--verbose] [--debug] directory
positional arguments:
directory
options:
-h, --help show this help message and exit
--default-shell DEFAULT_SHELL
The default shell running in the workflow(s)
--verbose Show more details about the execution.
--debug Add debug information (takes precedence over --verbose).
Example
$ shellcheck-gha .
=== Results: 2 file(s) have findings ===
Scanned 5 files (16 shell scripts)
[INFO] In bad.yaml:
Message: Double quote to prevent globbing and word splitting.
More information: https://www.shellcheck.net/wiki/SC2086
Code:
test $USE_GITIGNORE == true
^^^^^^^^^^^^^^^
[INFO] In tests/sample_workflows/with-findings.yaml:
Message: Double quote to prevent globbing and word splitting.
More information: https://www.shellcheck.net/wiki/SC2086
Code:
echo $BAD_JOB1
^^^^^^^^^^
[INFO] In tests/sample_workflows/with-findings.yaml:
Message: Double quote to prevent globbing and word splitting.
More information: https://www.shellcheck.net/wiki/SC2086
Code:
echo $BAD_JOB1
^^^^^^^^^^
Goals
- Only check *nix related shells (sh, bash, ksh)
- Provide useful logs that allow the users to quickly find the problematic code in their workflow.
Non-Goals
- Differential checking (base vs head commit)
- Logical understanding of GitHub workflows, such as (but not limited to):
- Handling
defaults.run.shell
- Support for string interpolation (
${{ ... }}
)
- Handling
- Tracking down exact locations of the findings (line numbers, columns)
Project details
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
shellcheck_gha-0.1.0.tar.gz
(8.1 kB
view hashes)
Built Distribution
Close
Hashes for shellcheck_gha-0.1.0-py3-none-any.whl
Algorithm | Hash digest | |
---|---|---|
SHA256 | d31b76b8ef55a387ac166b70ecf3ee2a453abd2e2980c829bd4970050e185a4d |
|
MD5 | 07afe87cb281ef03a53bef4da27a6038 |
|
BLAKE2b-256 | 0e2886a30f9208ab8abb3de52c82bd6d6a6572668f5b3802caf60c6daac18adf |