Ensure scripts/ are well lint-ed (#277)

Signed-off-by: Davanum Srinivas <[email protected]>

Author: dims

.github/workflows/lint-test.yml

@@ -75,6 +75,9 @@ jobs:
           - component: helm-charts
             make_command: 'make helm-lint'
             step_name: 'Validate Helm charts'
+          - component: scripts
+            make_command: 'make -C scripts lint'
+            step_name: 'Run shellcheck on scripts'
     steps:
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8  # v5.0.0
 

scripts/build-image-list.sh

@@ -33,12 +33,12 @@ CONTAINER_ORG=${CONTAINER_ORG:-$(git config --get remote.origin.url | sed -n 's#
 if [[ -z "${SAFE_REF_NAME:-}" ]]; then
   CI_COMMIT_REF_NAME=${CI_COMMIT_REF_NAME:-$(git rev-parse --abbrev-ref HEAD)}
   # Sanitize branch name by replacing slashes with dashes
-  SAFE_REF_NAME=$(echo "$CI_COMMIT_REF_NAME" | sed 's#/#-#g')
+  SAFE_REF_NAME=${CI_COMMIT_REF_NAME//\//-}
 fi
 
 # Initialize output file
 out="versions.txt"
-> "$out"
+: > "$out"
 
 # ------- 1) Build dynamic list -------
 # Define array of dynamic images with their respective tags (sorted!)

scripts/buildko.sh

@@ -21,7 +21,8 @@ export KO_LOG=info
 export KO_DOCKER_REPO="${KO_DOCKER_REPO,,}"
 export VERSION="${VERSION:-v0.1.0}"
 export GIT_COMMIT="${GIT_COMMIT:-dev}"
-export BUILD_DATE=$(date -u +%FT%TZ)
+BUILD_DATE=$(date -u +%FT%TZ)
+export BUILD_DATE
 
 # Display build variables for debugging
 echo "Build variables:"

scripts/setup-dev-env.sh

@@ -180,7 +180,7 @@ if ! command_exists yq; then
             exit 1
         fi
     elif [[ "${OS}" == "linux" ]]; then
-        sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_${ARCH}
+        sudo wget -qO /usr/local/bin/yq https://github.com/mikefarah/yq/releases/latest/download/yq_linux_"${ARCH}"
         sudo chmod +x /usr/local/bin/yq
     fi
 
@@ -300,10 +300,10 @@ if [[ "${SKIP_PYTHON}" == "false" ]]; then
 
         if prompt_continue; then
             if [[ "${OS}" == "darwin" ]]; then
-                pip3 install poetry==${POETRY_VERSION}
+                pip3 install poetry=="${POETRY_VERSION}"
             elif [[ "${OS}" == "linux" ]]; then
-                python3 -m pip install --break-system-packages poetry==${POETRY_VERSION} || \
-                    python3 -m pip install --user poetry==${POETRY_VERSION}
+                python3 -m pip install --break-system-packages poetry=="${POETRY_VERSION}" || \
+                    python3 -m pip install --user poetry=="${POETRY_VERSION}"
             fi
             log_success "Poetry installed"
         fi
@@ -316,18 +316,18 @@ if [[ "${SKIP_PYTHON}" == "false" ]]; then
 
         if [[ "${BLACK_INSTALLED}" != "${BLACK_VERSION}"* ]]; then
             log_warning "Black version mismatch (current: ${BLACK_INSTALLED}, target: ${BLACK_VERSION})"
-            log_info "Consider updating: pip install --upgrade black==${PBLACK_VERSION}"
+            log_info "Consider updating: pip install --upgrade black==${BLACK_VERSION}"
         fi
     else
         log_warning "Black not found"
         log_info "Installing Black ${BLACK_VERSION}..."
 
         if prompt_continue; then
             if [[ "${OS}" == "darwin" ]]; then
-                pip3 install black==${BLACK_VERSION}
+                pip3 install black=="${BLACK_VERSION}"
             elif [[ "${OS}" == "linux" ]]; then
-                python3 -m pip install --break-system-packages black==${BLACK_VERSION} || \
-                    python3 -m pip install --user black==${BLACK_VERSION}
+                python3 -m pip install --break-system-packages black=="${BLACK_VERSION}" || \
+                    python3 -m pip install --user black=="${BLACK_VERSION}"
             fi
             log_success "Black installed"
         fi
@@ -399,7 +399,7 @@ if [[ "${SKIP_TOOLS}" == "false" ]]; then
         fi
     fi
 
-    # shellcheck
+    # Install shellcheck
     if command_exists shellcheck; then
         log_success "shellcheck already installed: $(shellcheck --version | head -2 | tail -1)"
     else
@@ -464,7 +464,7 @@ if [[ "${SKIP_TOOLS}" == "false" ]]; then
             if [[ "${OS}" == "darwin" ]]; then
                 brew install tilt-dev/tap/ctlptl
             elif [[ "${OS}" == "linux" ]]; then
-                go install github.com/tilt-dev/ctlptl/cmd/ctlptl@v${CTLPTL_VERSION}
+                go install github.com/tilt-dev/ctlptl/cmd/ctlptl@v"${CTLPTL_VERSION}"
                 sudo cp "$(go env GOPATH)/bin/ctlptl" /usr/local/bin/
             fi
             log_success "ctlptl installed"
@@ -497,8 +497,8 @@ if [[ "${SKIP_TOOLS}" == "false" ]] && command_exists go; then
     log_info "  protoc-gen-go-grpc: ${PROTOC_GEN_GO_GRPC_VERSION}"
 
     if prompt_continue; then
-        go install google.golang.org/protobuf/cmd/protoc-gen-go@${PROTOC_GEN_GO_VERSION}
-        go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@${PROTOC_GEN_GO_GRPC_VERSION}
+        go install google.golang.org/protobuf/cmd/protoc-gen-go@"${PROTOC_GEN_GO_VERSION}"
+        go install google.golang.org/grpc/cmd/protoc-gen-go-grpc@"${PROTOC_GEN_GO_GRPC_VERSION}"
         log_success "Go protobuf/gRPC tools installed"
     fi
 

scripts/update-dockerfile-versions.sh

@@ -79,7 +79,7 @@ SKIPPED_COUNT=0
 
 # Process each Dockerfile
 while IFS= read -r dockerfile; do
-    RELATIVE_PATH="${dockerfile#${REPO_ROOT}/}"
+    RELATIVE_PATH="${dockerfile#"${REPO_ROOT}"/}"
     CHANGED=false
 
     # Check for Go base images

scripts/verify-image-provenance.sh

@@ -52,8 +52,10 @@ readonly BLUE='\033[0;34m'
 readonly NC='\033[0m' # No Color
 
 # Paths
-readonly SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
-readonly REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+readonly SCRIPT_DIR
+REPO_ROOT="$(cd "$SCRIPT_DIR/.." && pwd)"
+readonly REPO_ROOT
 readonly VERSIONS_FILE="${VERSIONS_FILE:-$REPO_ROOT/.versions.yaml}"
 
 # Configuration - load versions from .versions.yaml if available
@@ -416,6 +418,7 @@ EOF
 
         if [ -n "$events" ]; then
             log_info "Policy warnings detected:"
+            # shellcheck disable=SC2001 # sed is appropriate for adding indentation to multiple lines
             echo "$events" | sed 's/^/  /'
         else
             log_info "No policy warnings found in pod events (check Policy Controller logs for details)"
@@ -546,7 +549,7 @@ EOF
         # Look for successful validations (would not have "failed" or "no matching" in logs)
         # In warn mode, successful validations are silent, so we check for policy check counts
         local all_checked_modules
-        all_checked_modules=$(echo "$validated_modules")
+        all_checked_modules="$validated_modules"
 
         # Compare: modules checked vs modules failed = modules that might have passed
         local potentially_passed=""