linting: add shelcheck for shell script lint

L-series · L-series · commit 75c701cd4774 · 2025-12-01T14:25:43.000-05:00
Add linting for shell scripts in the scipts directory as well as any
*.sh file accross the project using shellcheck.

Signed-off-by: Andreas Hatziiliou &lt;andreas.hatziiliou@savoirfairelinux.com&gt;
diff --git a/nix/util.nix b/nix/util.nix
@@ -88,7 +88,8 @@ rec {
 
       inherit (pkgs)
         nixpkgs-fmt
-        shfmt;
+        shfmt
+        shellcheck;
 
       inherit (pkgs.python3Packages)
         mpmath sympy black pyparsing pyyaml;
diff --git a/scripts/format b/scripts/format
@@ -41,7 +41,11 @@ if ! command -v shfmt 2>&1 >/dev/null; then
   error "shfmt not found. Are you running in a nix shell? See BUILDING.md."
   exit 1
 fi
-shfmt -s -w -l -i 2 -ci -fn $(shfmt -f $(git grep -l '' :/))
+
+# Find all scripts in the repo
+ALL_FILES=$(git grep -l '' :/)
+SHELL_SCRIPTS=$(echo "$ALL_FILES" | xargs shfmt -f)
+shfmt -s -l -i 2 -ci -fn $SHELL_SCRIPTS
 
 info "Formatting python scripts"
 if ! command -v black 2>&1 >/dev/null; then
diff --git a/scripts/lint b/scripts/lint
@@ -20,8 +20,6 @@ fi
 # Standard color definitions
 GREEN="\033[32m"
 RED="\033[31m"
-BLUE="\033[94m"
-BOLD="\033[1m"
 NORMAL="\033[0m"
 
 info()
@@ -106,15 +104,36 @@ gh_error_simple()
   fi
 }
 
+run-shellcheck()
+{
+  if ! command -v shellcheck >/dev/null; then
+    gh_error_simple "Shellcheck missing" "shellcheck is not installed"
+    error "Lint shellcheck"
+    SUCCESS=false
+    gh_summary_failure "Lint shellcheck"
+    return 0
+  fi
+
+  checkerr "Lint shellcheck" "$(shellcheck --severity=warning $SHELL_SCRIPTS)"
+}
+
 # Formatting
 SUCCESS=true
 
+# Get list of shell scripts for linting
+ALL_FILES=$(git grep -l '' :/)
+SHELL_SCRIPTS=$(echo "$ALL_FILES" | xargs shfmt -f)
+
 gh_group_start "Linting nix files with nixpkgs-fmt"
 checkerr "Lint nix" "$(nixpkgs-fmt --check "$ROOT")"
 gh_group_end
 
 gh_group_start "Linting shell scripts with shfmt"
-checkerr "Lint shell" "$(shfmt -s -l -i 2 -ci -fn $(shfmt -f $(git grep -l '' :/)))"
+checkerr "Lint shell" "$(echo $SHELL_SCRIPTS | xargs shfmt -s -l -i 2 -ci -fn)"
+gh_group_end
+
+gh_group_start "Linting shell scripts with shellcheck"
+run-shellcheck
 gh_group_end
 
 gh_group_start "Linting python scripts with black"
@@ -130,7 +149,7 @@ fi
 gh_group_end
 
 gh_group_start "Linting c files with clang-format"
-checkerr "Lint C" "$(clang-format $(git ls-files ":/*.c" ":/*.h") --Werror --dry-run 2>&1 | grep "error:" | cut -d ':' -f 1,2 | tr ':' ' ')"
+checkerr "Lint C" "$(clang-format "$(git ls-files ":/*.c" ":/*.h")" --Werror --dry-run 2>&1 | grep "error:" | cut -d ':' -f 1,2 | tr ':' ' ')"
 gh_group_end
 
 check-eol-dry-run()
@@ -152,22 +171,22 @@ check-spdx()
   local success=true
   for file in $(git ls-files -- ":/" ":/!:*.json" ":/!:*.png" ":/!:*LICENSE*" ":/!:.git*" ":/!:flake.lock"); do
     # Ignore symlinks
-    if [[ ! -L $file && $(grep "SPDX-License-Identifier:" $file | wc -l) == 0 ]]; then
+    if [[ ! -L $file && $(grep "SPDX-License-Identifier:" "$file" | wc -l) == 0 ]]; then
       gh_error "$file" "${line:-1}" "Missing license header error" "$file is missing SPDX License header"
       success=false
     fi
   done
   for file in $(git ls-files -- "*.[chsS]" "*.py" "*.mk" "*.yml" "**/Makefile*" ":/!proofs/cbmc/*.py" ":/!examples/bring_your_own_fips202/custom_fips202/tiny_sha3/*"); do
     # Ignore symlinks
-    if [[ ! -L $file && $(grep "Copyright (c) The mldsa-native project authors" $file | wc -l) == 0 ]]; then
+    if [[ ! -L $file && $(grep "Copyright (c) The mldsa-native project authors" "$file" | wc -l) == 0 ]]; then
       gh_error "$file" "${line:-1}" "Missing copyright header error" "$file is missing copyright header"
       success=false
     fi
   done
   # For source files in dev/* and mldsa/*, we enforce `Apache-2.0 OR ISC OR MIT`
   for file in $(git ls-files -- "*.[chsSi]" | grep "^dev/\|^mldsa/"); do
     # Ignore symlinks
-    if [[ ! -L $file && $(grep "SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT" $file | wc -l) == 0 ]]; then
+    if [[ ! -L $file && $(grep "SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT" "$file" | wc -l) == 0 ]]; then
       gh_error "$file" "${line:-1}" "Missing license header error" "$file is not licensed under 'Apache-2.0 OR ISC OR MIT'"
       success=false
     fi
@@ -188,7 +207,7 @@ gh_group_end
 
 check-autogenerated-files()
 {
-  if python3 $ROOT/scripts/autogen --dry-run; then
+  if python3 "$ROOT"/scripts/autogen --dry-run; then
     info "Check native auto-generated files"
     gh_summary_success "Check native auto-generated files"
   else
@@ -204,7 +223,7 @@ gh_group_end
 
 check-magic()
 {
-  if python3 $ROOT/scripts/check-magic >/dev/null; then
+  if python3 "$ROOT"/scripts/check-magic >/dev/null; then
     info "Check magic constants"
     gh_summary_success "Check magic constants"
   else
@@ -224,7 +243,7 @@ fi
 
 check-contracts()
 {
-  if python3 $ROOT/scripts/check-contracts >/dev/null; then
+  if python3 "$ROOT"/scripts/check-contracts >/dev/null; then
     info "Check contracts"
     gh_summary_success "Check contracts"
   else
