Skip to content

Workflow Security: scope bundled shellcheck to real issues#674

Merged
swahtz merged 1 commit into
mainfrom
ci-gate-shellcheck-scope
Jun 30, 2026
Merged

Workflow Security: scope bundled shellcheck to real issues#674
swahtz merged 1 commit into
mainfrom
ci-gate-shellcheck-scope

Conversation

@swahtz

@swahtz swahtz commented Jun 30, 2026

Copy link
Copy Markdown
Contributor

Problem

The Workflow Security gate (merged in #672) is failing on real PRs (e.g. #673). Its actionlint step runs shellcheck on run: scripts whenever shellcheck is installed — it is on GitHub-hosted runners but not in many local setups, so the check passed locally yet fails on every PR with 157 info/style findings across pre-existing workflow scripts repo-wide:

code count what
SC2086 146 unquoted $VAR (word-splitting)
SC2174 8 mkdir -p -m mode only on deepest dir
SC2012 2 use find instead of ls
SC2129 1 grouped redirect style

There are no actual actionlint errors (syntax/type/injection) — purely the bundled shellcheck nits, almost all pre-existing and unrelated to the token work.

Fix

Set SHELLCHECK_OPTS: "-e SC2086,SC2174,SC2012,SC2129" on the actionlint step so the gate fails only on meaningful problems. Every other shellcheck check stays active — including SC2016 (single-quote expansion, the exact bug class fixed during #672) — as do actionlint's own expression/injection checks and the token-policy script. The excludes can be dropped later once the scripts are properly quoted.

Verification

Reproduced locally with shellcheck installed: default actionlint → 157 findings / exit 1; with the excludes → 0 findings / exit 0. zizmor and the token policy are unaffected.

🤖 Generated with Claude Code

The gate's actionlint step runs shellcheck on run: scripts whenever shellcheck
is installed -- it is on GitHub-hosted runners but not in many local setups, so
the check passed locally yet failed on every real PR (e.g. #673) with 157
info/style findings (SC2086 unquoted-var ×146, SC2174, SC2012, SC2129) across
pre-existing workflow scripts repo-wide.

Exclude those four low-value word-splitting/style codes via SHELLCHECK_OPTS so
the gate fails only on meaningful problems. Every other shellcheck check (incl.
SC2016 single-quote expansion) and actionlint's own expression/injection checks
stay active. Excludes can be dropped later once the scripts are quoted.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
Signed-off-by: Jonathan Swartz <jonathan@jswartz.info>
@swahtz swahtz requested a review from a team as a code owner June 30, 2026 00:56
@swahtz swahtz requested review from harrism and sifakis June 30, 2026 00:56
@swahtz swahtz added the CI Issues related to the Github actions CI/CD. For build issues use CMake/Build label Jun 30, 2026
@swahtz swahtz merged commit 4659dd1 into main Jun 30, 2026
21 of 22 checks passed
@swahtz swahtz deleted the ci-gate-shellcheck-scope branch June 30, 2026 00:58
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

CI Issues related to the Github actions CI/CD. For build issues use CMake/Build

Projects

None yet

Development

Successfully merging this pull request may close these issues.

1 participant