Extracts and checks shell scripts in Github Workflows for potential issues using shellcheck (https://github.com/koalaman/shellcheck).
Project description
shellcheck-gha
This Python script extracts shell scripts from GitHub workflows
(jobs.<job_id>.steps[*].run) and runs them against ShellCheck.
Installation
Requirements:
- Python ≥ 3.11
- ShellCheck ≥ 0.9.0, available on
apt,brew,cabal,dnf, andpkg.
Using GitHub Actions (recommended)
The shellcheck-gha project can be used as a GitHub Workflow step:
on:
push:
paths:
- .github/**
pull_request:
paths:
- .github/**
permissions:
contents: read
jobs:
check:
runs-on: ubuntu-latest
steps:
- name: Checkout
uses: actions/checkout@v4
- name: Run ShellCheck
uses: saleor/shellcheck-gha@v0
# Uncomment to customize the scan directory:
# with:
# scan-directory-path: .github/
[!IMPORTANT]
By default only the./.githubdirectory is scanned (recursively). If some GitHub Composite actions are defined outside the.githubdirectory, consider adding steps to scan the additional directories by changing thescan-directory-pathparameter.
PyPI
The project is hosted on PyPI at https://pypi.org/project/shellcheck-gha/. To install the project, run:
$ pip install shellcheck-gha
From Source
Alternatively, the project can be cloned and installed using poetry.
$ git clone https://github.com/saleor/shellcheck-gha
$ pip install poetry
$ poetry install
$ shellcheck-gha --help
Usage
$ shellcheck-gha --help
usage: shellcheck-gha [-h] [--default-shell DEFAULT_SHELL] [--verbose] [--debug] [--skip-unknown-files | --no-skip-unknown-files] [directory]
positional arguments:
directory
options:
-h, --help show this help message and exit
--default-shell DEFAULT_SHELL
The default shell running in the workflow(s)
--verbose Show more details about the execution.
--debug Add debug information (takes precedence over --verbose).
--skip-unknown-files, --no-skip-unknown-files
Whether to exit with an error on when parsing non-GitHub workflow or composite action YAML files. Skipping is useful when a directory
may be mixed with other YAML files (e.g. config files such as .github/dependabot.yaml). Unknown files are skipped by default.
Example
$ shellcheck-gha .
=== Results: 2 file(s) have findings ===
Scanned 5 files (16 shell scripts)
[INFO] In bad.yaml:
Message: Double quote to prevent globbing and word splitting.
More information: https://www.shellcheck.net/wiki/SC2086
Code:
test $USE_GITIGNORE == true
^^^^^^^^^^^^^^^
[INFO] In tests/sample_workflows/with-findings.yaml:
Message: Double quote to prevent globbing and word splitting.
More information: https://www.shellcheck.net/wiki/SC2086
Code:
echo $BAD_JOB1
^^^^^^^^^^
[INFO] In tests/sample_workflows/with-findings.yaml:
Message: Double quote to prevent globbing and word splitting.
More information: https://www.shellcheck.net/wiki/SC2086
Code:
echo $BAD_JOB2
^^^^^^^^^^
Goals
- Only check *nix related shells (sh, bash, ksh)
- Provide useful logs that allow the users to quickly find the problematic code in their workflow.
Non-Goals
- Differential checking (base vs head commit)
- Logical understanding of GitHub workflows, such as (but not limited to):
- Handling
defaults.run.shell - Support for string interpolation (
${{ ... }})
- Handling
- Tracking down exact locations of the findings (line numbers, columns)
Release history Release notifications | RSS feed
Download files
Download the file for your platform. If you're not sure which to choose, learn more about installing packages.
Source Distribution
Built Distribution
Hashes for shellcheck_gha-0.1.2-py3-none-any.whl
| Algorithm | Hash digest | |
|---|---|---|
| SHA256 | 6fcd645a34ba35801f00e0885ef0dc44adc36848c3b2a52c3fdf90bd05e5aac4 |
|
| MD5 | 8c2cad51aa293844d9337f231675bf2e |
|
| BLAKE2b-256 | 2546fb8263215f03fba2d33843b9f773b8c663f346101f77dd1b29bf721ae49c |
