linting: add shelcheck for shell script lint

L-series · L-series · commit 78344c38b24b · 2025-12-01T15:15:45.000Z
Add linting for shell scripts in the scipts directory as well as any
*.sh file accross the project using shellcheck.

Signed-off-by: Andreas Hatziiliou &lt;andreas.hatziiliou@savoirfairelinux.com&gt;
diff --git a/nix/util.nix b/nix/util.nix
@@ -88,7 +88,8 @@ rec {
 
       inherit (pkgs)
         nixpkgs-fmt
-        shfmt;
+        shfmt
+        shellcheck;
 
       inherit (pkgs.python3Packages)
         mpmath sympy black pyparsing pyyaml;
diff --git a/scripts/lint b/scripts/lint
@@ -20,8 +20,6 @@ fi
 # Standard color definitions
 GREEN="\033[32m"
 RED="\033[31m"
-BLUE="\033[94m"
-BOLD="\033[1m"
 NORMAL="\033[0m"
 
 info()
@@ -106,6 +104,62 @@ gh_error_simple()
   fi
 }
 
+# Identify shell scripts that should be linted with shellcheck.
+shellcheck-targets()
+{
+  local file
+
+  # Emit every tracked file that explicitly ends with .sh.
+  while IFS= read -r -d '' file; do
+    printf '%s\0' "$file"
+  done < <(git ls-files -z -- '*.sh')
+
+  # Add extensionless shell scripts that live under scripts/.
+  while IFS= read -r -d '' file; do
+    if [[ -L $file || ! -f $file ]]; then
+      continue
+    fi
+
+    if head -n1 "$file" | grep -qE '^#!.*/(env )?(ba|da|k|mk|z|)sh'; then
+      printf '%s\0' "$file"
+    fi
+  done < <(git ls-files -z -- 'scripts/*' 'scripts/**/*')
+}
+
+run-shellcheck()
+{
+  if ! command -v shellcheck >/dev/null; then
+    gh_error_simple "Shellcheck missing" "shellcheck is not installed"
+    error "Lint shellcheck"
+    SUCCESS=false
+    gh_summary_failure "Lint shellcheck"
+    return 0
+  fi
+
+  local file
+  local -a files=()
+  while IFS= read -r -d '' file; do
+    files+=("$file")
+  done < <(shellcheck-targets)
+
+  if [[ ${#files[@]} == 0 ]]; then
+    info "Lint shellcheck (no scripts)"
+    gh_summary_success "Lint shellcheck"
+    return 0
+  fi
+
+  local shellcheck_out
+  if ! shellcheck_out=$(shellcheck --severity=warning "${files[@]}" 2>&1); then
+    gh_error_simple "Shellcheck error" "$shellcheck_out"
+    error "Lint shellcheck"
+    SUCCESS=false
+    gh_summary_failure "Lint shellcheck"
+  else
+    info "Lint shellcheck"
+    gh_summary_success "Lint shellcheck"
+  fi
+}
+
 # Formatting
 SUCCESS=true
 
@@ -114,7 +168,11 @@ checkerr "Lint nix" "$(nixpkgs-fmt --check "$ROOT")"
 gh_group_end
 
 gh_group_start "Linting shell scripts with shfmt"
-checkerr "Lint shell" "$(shfmt -s -l -i 2 -ci -fn $(shfmt -f $(git grep -l '' :/)))"
+checkerr "Lint shell" "$(shfmt -s -l -i 2 -ci -fn "$(shfmt -f "$(git grep -l '' :/)")")" 
+gh_group_end
+
+gh_group_start "Linting shell scripts with shellcheck"
+run-shellcheck
 gh_group_end
 
 gh_group_start "Linting python scripts with black"
@@ -130,7 +188,7 @@ fi
 gh_group_end
 
 gh_group_start "Linting c files with clang-format"
-checkerr "Lint C" "$(clang-format $(git ls-files ":/*.c" ":/*.h") --Werror --dry-run 2>&1 | grep "error:" | cut -d ':' -f 1,2 | tr ':' ' ')"
+checkerr "Lint C" "$(clang-format "$(git ls-files ":/*.c" ":/*.h")" --Werror --dry-run 2>&1 | grep "error:" | cut -d ':' -f 1,2 | tr ':' ' ')"
 gh_group_end
 
 check-eol-dry-run()
@@ -152,22 +210,22 @@ check-spdx()
   local success=true
   for file in $(git ls-files -- ":/" ":/!:*.json" ":/!:*.png" ":/!:*LICENSE*" ":/!:.git*" ":/!:flake.lock"); do
     # Ignore symlinks
-    if [[ ! -L $file && $(grep "SPDX-License-Identifier:" $file | wc -l) == 0 ]]; then
+    if [[ ! -L $file && $(grep "SPDX-License-Identifier:" "$file" | wc -l) == 0 ]]; then
       gh_error "$file" "${line:-1}" "Missing license header error" "$file is missing SPDX License header"
       success=false
     fi
   done
   for file in $(git ls-files -- "*.[chsS]" "*.py" "*.mk" "*.yml" "**/Makefile*" ":/!proofs/cbmc/*.py" ":/!examples/bring_your_own_fips202/custom_fips202/tiny_sha3/*"); do
     # Ignore symlinks
-    if [[ ! -L $file && $(grep "Copyright (c) The mldsa-native project authors" $file | wc -l) == 0 ]]; then
+    if [[ ! -L $file && $(grep "Copyright (c) The mldsa-native project authors" "$file" | wc -l) == 0 ]]; then
       gh_error "$file" "${line:-1}" "Missing copyright header error" "$file is missing copyright header"
       success=false
     fi
   done
   # For source files in dev/* and mldsa/*, we enforce `Apache-2.0 OR ISC OR MIT`
   for file in $(git ls-files -- "*.[chsSi]" | grep "^dev/\|^mldsa/"); do
     # Ignore symlinks
-    if [[ ! -L $file && $(grep "SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT" $file | wc -l) == 0 ]]; then
+    if [[ ! -L $file && $(grep "SPDX-License-Identifier: Apache-2.0 OR ISC OR MIT" "$file" | wc -l) == 0 ]]; then
       gh_error "$file" "${line:-1}" "Missing license header error" "$file is not licensed under 'Apache-2.0 OR ISC OR MIT'"
       success=false
     fi
@@ -188,7 +246,7 @@ gh_group_end
 
 check-autogenerated-files()
 {
-  if python3 $ROOT/scripts/autogen --dry-run; then
+  if python3 "$ROOT"/scripts/autogen --dry-run; then
     info "Check native auto-generated files"
     gh_summary_success "Check native auto-generated files"
   else
@@ -204,7 +262,7 @@ gh_group_end
 
 check-magic()
 {
-  if python3 $ROOT/scripts/check-magic >/dev/null; then
+  if python3 "$ROOT"/scripts/check-magic >/dev/null; then
     info "Check magic constants"
     gh_summary_success "Check magic constants"
   else
@@ -224,7 +282,7 @@ fi
 
 check-contracts()
 {
-  if python3 $ROOT/scripts/check-contracts >/dev/null; then
+  if python3 "$ROOT"/scripts/check-contracts >/dev/null; then
     info "Check contracts"
     gh_summary_success "Check contracts"
   else
