Add linting for shell scripts and fix existing issues

medic · May 23, 2024 · 9f36de2 · 9f36de2
1 parent fc98a76
commit 9f36de2
Show file tree

Hide file tree

Showing 24 changed files with 141 additions and 114 deletions.
diff --git a/.editorconfig b/.editorconfig
@@ -0,0 +1,9 @@
+# Ignore checking third-party libraries, used by shfmt
+[scripts/docker-helper/simple_curses.sh]
+ignore = true
+[**/node_modules/*]
+ignore = true
+[**/bats-{assert,support}/*]
+ignore = true
+[.husky/_/*]
+ignore = true
diff --git a/.github/workflows/test_couchdb.yml b/.github/workflows/test_couchdb.yml
@@ -1,3 +1,4 @@
+name: Test CouchDB (Conditional)
 on:
   pull_request:
     paths:

diff --git a/.github/workflows/test_shell.yml b/.github/workflows/test_shell.yml
@@ -0,0 +1,27 @@
+name: Test Shellscripts (Conditional)
+on:
+  pull_request:
+    paths:
+      - '**/*.bats'
+      - '**/*.sh'
+      - '.husky/**'
+      - 'scripts/**'
+  push:
+    paths:
+      - '**/*.bats'
+      - '**/*.sh'
+      - '.husky/**'
+      - 'scripts/**'
+
+jobs:
+  test:
+    name: Test Shellscripts
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Checkout
+        uses: actions/checkout@v3
+      - name: Test Shellscripts
+        run: |
+          sudo apt-get update
+          sudo apt-get install shellcheck shfmt
+          npm run lint-shell
diff --git a/.husky/pre-commit b/.husky/pre-commit
@@ -1,4 +1,5 @@
 #!/usr/bin/env sh
+# shellcheck disable=SC1091 # don't test thirdparty packages
 . "$(dirname -- "$0")/_/husky.sh"
 
 branch="$(git rev-parse --abbrev-ref HEAD)"

diff --git a/couchdb/docker-entrypoint.sh b/couchdb/docker-entrypoint.sh
@@ -128,6 +128,7 @@ if [ "$1" = '/opt/couchdb/bin/couchdb' ]; then
 
 	chown -f couchdb:couchdb $CLUSTER_CREDENTIALS || true
 
+	# shellcheck disable=SC2145 # needs additional investigation about intention before I'm confident in changing
 	su -c "ulimit -n 100000 && exec $@" couchdb
 else
 	exec "$@"

diff --git a/nginx/ssl-install.sh b/nginx/ssl-install.sh
@@ -49,14 +49,14 @@ create_self_signed_ssl_certificate()
   mkdir -p /etc/nginx/private
   set_environment_variables_if_not_set
   openssl req -x509 -nodes -newkey rsa:4096 \
-    -keyout $SSL_KEY_FILE_PATH -out $SSL_CERT_FILE_PATH -days 365 \
+    -keyout "$SSL_KEY_FILE_PATH" -out "$SSL_CERT_FILE_PATH" -days 365 \
     -subj "/emailAddress=$EMAIL/C=$COUNTRY/ST=$STATE/L=$LOCALITY/O=$ORGANISATION/OU=$DEPARTMENT/CN=$COMMON_NAME"
 
   return "$?"
 }
 
 generate_self_signed_cert(){
-  if [ -f $SSL_CERT_FILE_PATH -a -f $SSL_KEY_FILE_PATH ]; then
+  if [ -f "$SSL_CERT_FILE_PATH" ] && [ -f "$SSL_KEY_FILE_PATH" ]; then
         echo "self signed SSL cert already exists." >&2
     else
         create_self_signed_ssl_certificate \
@@ -66,7 +66,7 @@ generate_self_signed_cert(){
 
 ensure_own_cert_exits(){
 
-  if [ ! -f $SSL_CERT_FILE_PATH -a ! -f $SSL_KEY_FILE_PATH ]; then
+  if [ ! -f "$SSL_CERT_FILE_PATH" ] && [ ! -f "$SSL_KEY_FILE_PATH" ]; then
   echo "Please provide add your certificate ($SSL_CERT_FILE_PATH) and key ($SSL_KEY_FILE_PATH) in the /etc/nginx/private/ directory"
   exit 1
   fi

diff --git a/nginx/tests/ssl-install.bats b/nginx/tests/ssl-install.bats
@@ -1,22 +1,18 @@
+# shellcheck disable=SC2030,SC2031 # exports doesn't need to leave subshell
 setup() {
     load 'test_helper/bats-support/load'
     load 'test_helper/bats-assert/load'
     load '/app/bash-shellmock/shellmock'
-    # get the containing directory of this file
-    # use $BATS_TEST_FILENAME instead of ${BASH_SOURCE[0]} or $0,
-    # as those will point to the bats executable's location or the preprocessed file respectively
-    DIR="$( cd "$( dirname "$BATS_TEST_FILENAME" )" >/dev/null 2>&1 && pwd )"
 
-     #shellcheck
+    # shellcheck disable=SC1091 # not testing third party scripts
     . shellmock
 
     #create temp cert files
     base_temp_path="$TEST_TEMP_DIR/tmp/bats/etc/nginx/private"
-    mkdir -p $base_temp_path
+    mkdir -p "$base_temp_path"
     export SSL_CERT_FILE_PATH="$base_temp_path/cert.pem"
     export SSL_KEY_FILE_PATH="$base_temp_path/key.pem"
 
-
 }
 
 teardown()
@@ -28,7 +24,7 @@ teardown()
         rm -rf "$TEST_TEMP_DIR"
     fi
 
-    rm -rf $base_temp_path
+    rm -rf "$base_temp_path"
 }
 
 

diff --git a/package.json b/package.json
@@ -37,6 +37,7 @@
     "integration-sentinel-k3d-local": "export VERSION=$(node ./scripts/build/get-version.js) && ./scripts/build/build-service-images.sh && npm run ci-integration-sentinel-k3d",
     "integration-cht-form": "wdio run ./tests/integration/cht-form/wdio.conf.js",
     "lint": "eslint --color --cache . && ./scripts/build/blank-link-check.sh",
+    "lint-shell": "shellcheck $(shfmt -f .)",
     "test": "npm run lint && npm run unit && npm run integration-api",
     "unit": "node scripts/build/cli npmCiModules && npm run unit-webapp && npm run unit-admin && npm run unit-shared-lib && npm run unit-api && npm run unit-sentinel",
     "unit-admin": "node ./scripts/ci/run-karma.js",

diff --git a/scripts/add-local-ip-certs-to-docker-4.x.sh b/scripts/add-local-ip-certs-to-docker-4.x.sh
@@ -47,13 +47,13 @@ then
   exit
 fi
 
-status=$(docker inspect --format="{{.State.Running}}" $container 2> /dev/null)
+status=$(docker inspect --format="{{.State.Running}}" "$container" 2> /dev/null)
 if [ "$status" = "true" ]; then
   result=""
   if [ "$action" = "refresh" ]; then
     result="downloaded fresh local-ip.medicmobile.org"
-    docker exec -it $container bash -c "curl -s -o /etc/nginx/private/cert.pem https://local-ip.medicmobile.org/fullchain"
-    docker exec -it $container bash -c "curl -s -o /etc/nginx/private/key.pem https://local-ip.medicmobile.org/key"
+    docker exec -it "$container" bash -c "curl -s -o /etc/nginx/private/cert.pem https://local-ip.medicmobile.org/fullchain"
+    docker exec -it "$container" bash -c "curl -s -o /etc/nginx/private/key.pem https://local-ip.medicmobile.org/key"
   elif [ "$action" = "expire" ]; then
     result="installed expired local-ip.medicmobile.org"
     docker cp ./tls_certificates/local-ip-expired.crt "$container":/etc/nginx/private/cert.pem
@@ -65,7 +65,7 @@ if [ "$status" = "true" ]; then
   fi
 
   if [ "$result" != "" ]; then
-    docker restart $container
+    docker restart "$container"
     echo ""
     echo "If just container name is shown above, a fresh local-ip.medicmobile.org certificate was ${result}."
     echo ""

diff --git a/scripts/build/blank-link-check.sh b/scripts/build/blank-link-check.sh
@@ -6,7 +6,7 @@ echo "Checking for dangerous _blank links..."
 
 if (git grep -E 'target\\?="_blank"' -- webapp/src admin/src | grep -Ev 'target\\?="_blank" rel\\?="noopener noreferrer"' | grep -Ev '^\\s*//'); then
   echo 'ERROR: Links found with target="_blank" but no rel="noopener noreferrer" set.  Please add required rel attribute.'
-  exit -1;
+  exit 1;
 else
   echo 'No dangerous links found';
 fi
diff --git a/scripts/compress_and_archive_docker_logs.sh b/scripts/compress_and_archive_docker_logs.sh
@@ -44,7 +44,7 @@ docker ps> ${tmp}/docker_ps.log
 docker ps  --format '{{ .Names }}' | xargs -I % sh -c "docker logs --since ${HOURS}h %  > ${tmp}/%.log 2>&1"
 
 cd /tmp/cht-docker-log-tmp
-tar -czf ${log_archive} *
+tar -czf "${log_archive}" ./*
 
 rm /tmp/cht-docker-log-tmp/*
 

diff --git a/scripts/deploy/cht-deploy b/scripts/deploy/cht-deploy
@@ -37,4 +37,5 @@ if [[ $1 != "-f" || -z $2 ]]; then
 fi
 
 # Pass command line arguments to invoke script
+# shellcheck disable=SC2068 # wontfix script will be replaced "soon"
 invoke install $@
diff --git a/scripts/deploy/troubleshooting/describe-deployment b/scripts/deploy/troubleshooting/describe-deployment
@@ -20,9 +20,7 @@ fi
 NAMESPACE=$1
 DEPLOYMENT=$2
 
-kubectl -n $NAMESPACE describe deployment $DEPLOYMENT
-
-if [ $? -ne 0 ]; then
+if ! kubectl -n "$NAMESPACE" describe deployment "$DEPLOYMENT" ; then
   echo "An error occurred while trying to describe deployment $DEPLOYMENT in namespace $NAMESPACE. Please verify that the deployment and namespace exist and that you have permissions to view their contents."
   exit 1
 fi
diff --git a/scripts/deploy/troubleshooting/list-all-resources b/scripts/deploy/troubleshooting/list-all-resources
@@ -18,9 +18,7 @@ fi
 
 NAMESPACE=$1
 
-kubectl -n $NAMESPACE get all
-
-if [ $? -ne 0 ]; then
+if ! kubectl -n "$NAMESPACE" get all ; then
   echo "An error occurred while trying to retrieve resources for namespace $NAMESPACE. Please verify that the namespace exists and that you have permissions to view its contents."
   exit 1
 fi
diff --git a/scripts/deploy/troubleshooting/list-deployments b/scripts/deploy/troubleshooting/list-deployments
@@ -18,9 +18,8 @@ fi
 
 NAMESPACE=$1
 
-kubectl -n $NAMESPACE get deployments
 
-if [ $? -ne 0 ]; then
+if ! kubectl -n "$NAMESPACE" get deployments ; then
   echo "An error occurred while trying to retrieve deployments for namespace $NAMESPACE. Please verify that the namespace exists and that you have permissions to view its contents."
   exit 1
 fi
diff --git a/scripts/deploy/troubleshooting/restart-deployment b/scripts/deploy/troubleshooting/restart-deployment
@@ -21,11 +21,8 @@ fi
 NAMESPACE=$1
 DEPLOYMENT=$2
 
-# Restart the deployment
-kubectl -n $NAMESPACE rollout restart deployment/$DEPLOYMENT
 
-# Check if the restart was successful
-if [ $? -eq 0 ]; then
+if kubectl -n "$NAMESPACE" rollout restart deployment/"$DEPLOYMENT" ; then
   echo "Successfully restarted deployment $DEPLOYMENT in namespace $NAMESPACE."
 else
   echo "Failed to restart deployment $DEPLOYMENT in namespace $NAMESPACE."

diff --git a/scripts/deploy/troubleshooting/view-logs b/scripts/deploy/troubleshooting/view-logs
@@ -21,11 +21,11 @@ fi
 NAMESPACE=$1
 DEPLOYMENT=$2
 SERVICE=${DEPLOYMENT#cht-}
-POD_NAME=$(kubectl -n $NAMESPACE get pods -l cht.service=$SERVICE -o jsonpath="{.items[0].metadata.name}")
+POD_NAME=$(kubectl -n "$NAMESPACE" get pods -l cht.service="$SERVICE" -o jsonpath="{.items[0].metadata.name}")
 
 if [ -z "$POD_NAME" ]; then
   echo "No Pods found for deployment $DEPLOYMENT in Namespace $NAMESPACE."
   exit 1
 fi
 
-kubectl -n $NAMESPACE logs $POD_NAME
+kubectl -n "$NAMESPACE" logs "$POD_NAME"