Workflow Security: scope bundled shellcheck to real issues#674
Merged
Conversation
The gate's actionlint step runs shellcheck on run: scripts whenever shellcheck is installed -- it is on GitHub-hosted runners but not in many local setups, so the check passed locally yet failed on every real PR (e.g. #673) with 157 info/style findings (SC2086 unquoted-var ×146, SC2174, SC2012, SC2129) across pre-existing workflow scripts repo-wide. Exclude those four low-value word-splitting/style codes via SHELLCHECK_OPTS so the gate fails only on meaningful problems. Every other shellcheck check (incl. SC2016 single-quote expansion) and actionlint's own expression/injection checks stay active. Excludes can be dropped later once the scripts are quoted. Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com> Signed-off-by: Jonathan Swartz <jonathan@jswartz.info>
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Problem
The
Workflow Securitygate (merged in #672) is failing on real PRs (e.g. #673). Itsactionlintstep runs shellcheck onrun:scripts whenever shellcheck is installed — it is on GitHub-hosted runners but not in many local setups, so the check passed locally yet fails on every PR with 157 info/style findings across pre-existing workflow scripts repo-wide:$VAR(word-splitting)mkdir -p -mmode only on deepest dirfindinstead oflsThere are no actual actionlint errors (syntax/type/injection) — purely the bundled shellcheck nits, almost all pre-existing and unrelated to the token work.
Fix
Set
SHELLCHECK_OPTS: "-e SC2086,SC2174,SC2012,SC2129"on the actionlint step so the gate fails only on meaningful problems. Every other shellcheck check stays active — includingSC2016(single-quote expansion, the exact bug class fixed during #672) — as do actionlint's own expression/injection checks and the token-policy script. The excludes can be dropped later once the scripts are properly quoted.Verification
Reproduced locally with shellcheck installed: default
actionlint→ 157 findings / exit 1; with the excludes → 0 findings / exit 0.zizmorand the token policy are unaffected.🤖 Generated with Claude Code