From f9a6b4c2376827dc101a9ae00ea8085ea88fa8c4 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 30 Jul 2025 22:35:53 -0600 Subject: [PATCH 1/6] shellcheck_run_steps: Pin upstream shellcheck container by SHA We're using an upstream container until we have a guarded one. Let's pin it by SHA while we're doing that. Signed-off-by: dann frazier --- pre_commit_hooks/shellcheck_run_steps.py | 5 ++++- 1 file changed, 4 insertions(+), 1 deletion(-) diff --git a/pre_commit_hooks/shellcheck_run_steps.py b/pre_commit_hooks/shellcheck_run_steps.py index c685cd4..8830d6f 100644 --- a/pre_commit_hooks/shellcheck_run_steps.py +++ b/pre_commit_hooks/shellcheck_run_steps.py @@ -13,6 +13,9 @@ yaml = ruamel.yaml.YAML(typ="safe") +# Reference by SHA for safety +DefaultShellCheckImage = "koalaman/shellcheck@sha256:652a5a714dc2f5f97e36f565d4f7d2322fea376734f3ec1b04ed54ce2a0b124f" + def do_shellcheck( melange_cfg: Mapping[str, Any], @@ -79,7 +82,7 @@ def main(argv: Sequence[str] | None = None) -> int: f"--volume={os.getcwd()}:/mnt", "--rm", "-it", - "koalaman/shellcheck:latest", + DefaultShellCheckImage, ], nargs="*", help="shellcheck command", From e6ef91d2986e74d775456e41c02742f3aeaa72e1 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 30 Jul 2025 22:38:51 -0600 Subject: [PATCH 2/6] shellcheck_run_steps: Use alternate shellcheck if specified We were previously ignoring the --shellcheck setting. Signed-off-by: dann frazier --- pre_commit_hooks/shellcheck_run_steps.py | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/pre_commit_hooks/shellcheck_run_steps.py b/pre_commit_hooks/shellcheck_run_steps.py index 8830d6f..def5650 100644 --- a/pre_commit_hooks/shellcheck_run_steps.py +++ b/pre_commit_hooks/shellcheck_run_steps.py @@ -58,7 +58,7 @@ def do_shellcheck( shfile.write(step["runs"]) shfile.close() subprocess.check_call( - ["/usr/bin/shellcheck"] + shellcheck + shellcheck_args + ["--shell=busybox", "--"] + [os.path.basename(f.name) for _, f in all_steps], From f70da2ff38595c74850794262f1184312208e744 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 30 Jul 2025 22:40:39 -0600 Subject: [PATCH 3/6] shellcheck_run_steps: Use an argparse metavar as help text I think this explains the whole -- business more clearly. Signed-off-by: dann frazier --- pre_commit_hooks/shellcheck_run_steps.py | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/pre_commit_hooks/shellcheck_run_steps.py b/pre_commit_hooks/shellcheck_run_steps.py index def5650..a9ee0c6 100644 --- a/pre_commit_hooks/shellcheck_run_steps.py +++ b/pre_commit_hooks/shellcheck_run_steps.py @@ -71,8 +71,7 @@ def main(argv: Sequence[str] | None = None) -> int: parser.add_argument( "filenames", nargs="*", - help="Filenames to check. You can also pass " - "arguments to shellcheck before a '--' separator.", + metavar="[-- SHELLCHECK ARGS -- ] FILENAMES", ) parser.add_argument( "--shellcheck", From 34d07418569885316be9978689ce8e2ac6f527f0 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 30 Jul 2025 22:48:46 -0600 Subject: [PATCH 4/6] example: shellcheck-run-steps Signed-off-by: dann frazier --- example.pre-commit-config.yaml | 9 +++++++-- 1 file changed, 7 insertions(+), 2 deletions(-) diff --git a/example.pre-commit-config.yaml b/example.pre-commit-config.yaml index d22473f..e10000a 100644 --- a/example.pre-commit-config.yaml +++ b/example.pre-commit-config.yaml @@ -6,8 +6,13 @@ repos: - repo: https://github.com/chainguard-dev/pre-commit-hooks rev: 71fca50bcd1006b5cbcf71f03a3b493f48c4af7f hooks: - # Not quite ready for prime time yet, due to a tool dependency outside the pre-commit managed environment. - #- id: shellcheck-run-steps + - id: shellcheck-run-steps + files: '^[^.][^/]*\.yaml$' # matches non-hidden .yaml files at the top level only + args: + - "--" # options to hook before this, options to shellcheck after + - "-S" + - "error" + - "--" # terminates shellcheck options, rest will be filenames - id: check-for-epoch-bump files: | (?x)^( From 4db9c5a7adef3e524a2816c671c41987122bf66b Mon Sep 17 00:00:00 2001 From: dann frazier Date: Wed, 30 Jul 2025 22:50:20 -0600 Subject: [PATCH 5/6] pre-commit-config: Don't spellcheck the example pre-commit file Note helpful: args: - - "-i=routeros,mosquitto,metagem,rela,exportfs" + - "-i=routers,mosquito,metagame,real,exports" Signed-off-by: dann frazier --- .pre-commit-config.yaml | 1 + 1 file changed, 1 insertion(+) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 31cd487..4cfbfb9 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -43,3 +43,4 @@ repos: rev: 528d713e620bdf4b41849db93cb489c4fef9f5c5 # v0.6.0 hooks: - id: misspell + exclude: '^example\.pre-commit-config\.yaml$' From bd7e7ae230a7c975388aa0358e420b2c06218192 Mon Sep 17 00:00:00 2001 From: dann frazier Date: Thu, 31 Jul 2025 10:50:29 -0600 Subject: [PATCH 6/6] shellcheck_run_steps: please grype upstream shellcheck images Signed-off-by: dann frazier --- pre_commit_hooks/shellcheck_run_steps.py | 3 ++- 1 file changed, 2 insertions(+), 1 deletion(-) diff --git a/pre_commit_hooks/shellcheck_run_steps.py b/pre_commit_hooks/shellcheck_run_steps.py index a9ee0c6..afd8e1d 100644 --- a/pre_commit_hooks/shellcheck_run_steps.py +++ b/pre_commit_hooks/shellcheck_run_steps.py @@ -13,7 +13,8 @@ yaml = ruamel.yaml.YAML(typ="safe") -# Reference by SHA for safety +# Please provide the output of `grype koalaman/shellcheck@sha256:` +# in your PR when bumping. Referenced by SHA for safety. DefaultShellCheckImage = "koalaman/shellcheck@sha256:652a5a714dc2f5f97e36f565d4f7d2322fea376734f3ec1b04ed54ce2a0b124f"