diff --git a/.github/actionlint.yaml b/.github/actionlint.yaml new file mode 100644 index 0000000000..d47bf99d29 --- /dev/null +++ b/.github/actionlint.yaml @@ -0,0 +1,9 @@ +# Configuration for the actionlint tool, which we run via pre-commit +# to verify the correctness of the syntax in our GitHub Actions workflows. + +self-hosted-runner: + # Various runners we use that aren't recognized out-of-the-box by actionlint: + labels: + - depot-ubuntu-latest-8 + - depot-ubuntu-22.04-16 + - windows-latest-xlarge diff --git a/.github/workflows/build-binaries.yml b/.github/workflows/build-binaries.yml index fa4bd2bd11..5fce3b5aec 100644 --- a/.github/workflows/build-binaries.yml +++ b/.github/workflows/build-binaries.yml @@ -53,7 +53,7 @@ jobs: args: --out dist - name: "Test sdist" run: | - pip install dist/${PACKAGE_NAME}-*.tar.gz --force-reinstall + pip install dist/"${PACKAGE_NAME}"-*.tar.gz --force-reinstall "${MODULE_NAME}" --help python -m "${MODULE_NAME}" --help - name: "Upload sdist" @@ -125,7 +125,7 @@ jobs: args: --release --locked --out dist - name: "Test wheel - aarch64" run: | - pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall + pip install dist/"${PACKAGE_NAME}"-*.whl --force-reinstall ruff --help python -m ruff --help - name: "Upload wheels" @@ -186,7 +186,7 @@ jobs: if: ${{ !startsWith(matrix.platform.target, 'aarch64') }} shell: bash run: | - python -m pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall + python -m pip install dist/"${PACKAGE_NAME}"-*.whl --force-reinstall "${MODULE_NAME}" --help python -m "${MODULE_NAME}" --help - name: "Upload wheels" @@ -236,7 +236,7 @@ jobs: - name: "Test wheel" if: ${{ startsWith(matrix.target, 'x86_64') }} run: | - pip install dist/${PACKAGE_NAME}-*.whl --force-reinstall + pip install dist/"${PACKAGE_NAME}"-*.whl --force-reinstall "${MODULE_NAME}" --help python -m "${MODULE_NAME}" --help - name: "Upload wheels" diff --git a/.github/workflows/build-docker.yml b/.github/workflows/build-docker.yml index a8724a0168..1599e3925f 100644 --- a/.github/workflows/build-docker.yml +++ b/.github/workflows/build-docker.yml @@ -142,6 +142,7 @@ jobs: # The printf will expand the base image with the `@sha256: ...` for each sha256 in the directory # The final command becomes `docker buildx imagetools create -t tag1 -t tag2 ... @sha256: @sha256: ...` run: | + # shellcheck disable=SC2046 docker buildx imagetools create \ $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ $(printf "${RUFF_BASE_IMG}@sha256:%s " *) @@ -286,6 +287,8 @@ jobs: # The final command becomes `docker buildx imagetools create -t tag1 -t tag2 ... @sha256: @sha256: ...` run: | readarray -t lines <<< "$DOCKER_METADATA_OUTPUT_ANNOTATIONS"; annotations=(); for line in "${lines[@]}"; do annotations+=(--annotation "$line"); done + + # shellcheck disable=SC2046 docker buildx imagetools create \ "${annotations[@]}" \ $(jq -cr '.tags | map("-t " + .) | join(" ")' <<< "$DOCKER_METADATA_OUTPUT_JSON") \ diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml index 70c73dfe63..e4dc7fe94b 100644 --- a/.github/workflows/ci.yaml +++ b/.github/workflows/ci.yaml @@ -438,7 +438,7 @@ jobs: ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-check-stable - cat ecosystem-result-check-stable > $GITHUB_STEP_SUMMARY + cat ecosystem-result-check-stable > "$GITHUB_STEP_SUMMARY" echo "### Linter (stable)" > ecosystem-result cat ecosystem-result-check-stable >> ecosystem-result echo "" >> ecosystem-result @@ -454,7 +454,7 @@ jobs: ruff-ecosystem check ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-check-preview - cat ecosystem-result-check-preview > $GITHUB_STEP_SUMMARY + cat ecosystem-result-check-preview > "$GITHUB_STEP_SUMMARY" echo "### Linter (preview)" >> ecosystem-result cat ecosystem-result-check-preview >> ecosystem-result echo "" >> ecosystem-result @@ -470,7 +470,7 @@ jobs: ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown | tee ecosystem-result-format-stable - cat ecosystem-result-format-stable > $GITHUB_STEP_SUMMARY + cat ecosystem-result-format-stable > "$GITHUB_STEP_SUMMARY" echo "### Formatter (stable)" >> ecosystem-result cat ecosystem-result-format-stable >> ecosystem-result echo "" >> ecosystem-result @@ -486,7 +486,7 @@ jobs: ruff-ecosystem format ./ruff ${{ steps.ruff-target.outputs.download-path }}/ruff --cache ./checkouts --output-format markdown --force-preview | tee ecosystem-result-format-preview - cat ecosystem-result-format-preview > $GITHUB_STEP_SUMMARY + cat ecosystem-result-format-preview > "$GITHUB_STEP_SUMMARY" echo "### Formatter (preview)" >> ecosystem-result cat ecosystem-result-format-preview >> ecosystem-result echo "" >> ecosystem-result @@ -570,13 +570,13 @@ jobs: key: pre-commit-${{ hashFiles('.pre-commit-config.yaml') }} - name: "Run pre-commit" run: | - echo '```console' > $GITHUB_STEP_SUMMARY + echo '```console' > "$GITHUB_STEP_SUMMARY" # Enable color output for pre-commit and remove it for the summary SKIP=cargo-fmt,clippy,dev-generate-all pre-commit run --all-files --show-diff-on-failure --color=always | \ - tee >(sed -E 's/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?[mGK]//g' >> $GITHUB_STEP_SUMMARY) >&1 - exit_code=${PIPESTATUS[0]} - echo '```' >> $GITHUB_STEP_SUMMARY - exit $exit_code + tee >(sed -E 's/\x1B\[([0-9]{1,2}(;[0-9]{1,2})*)?[mGK]//g' >> "$GITHUB_STEP_SUMMARY") >&1 + exit_code="${PIPESTATUS[0]}" + echo '```' >> "$GITHUB_STEP_SUMMARY" + exit "$exit_code" docs: name: "mkdocs" @@ -637,7 +637,7 @@ jobs: - name: "Run checks" run: scripts/formatter_ecosystem_checks.sh - name: "Github step summary" - run: cat target/formatter-ecosystem/stats.txt > $GITHUB_STEP_SUMMARY + run: cat target/formatter-ecosystem/stats.txt > "$GITHUB_STEP_SUMMARY" - name: "Remove checkouts from cache" run: rm -r target/formatter-ecosystem diff --git a/.github/workflows/daily_fuzz.yaml b/.github/workflows/daily_fuzz.yaml index a3a4e84d99..2fd3b84680 100644 --- a/.github/workflows/daily_fuzz.yaml +++ b/.github/workflows/daily_fuzz.yaml @@ -46,6 +46,7 @@ jobs: run: cargo build --locked - name: Fuzz run: | + # shellcheck disable=SC2046 ( uvx \ --python=3.12 \ diff --git a/.github/workflows/pr-comment.yaml b/.github/workflows/pr-comment.yaml index 676d58d0c5..45f760dbf3 100644 --- a/.github/workflows/pr-comment.yaml +++ b/.github/workflows/pr-comment.yaml @@ -30,7 +30,7 @@ jobs: run: | if [[ -f pr-number ]] then - echo "pr-number=$(> $GITHUB_OUTPUT + echo "pr-number=$(> "$GITHUB_OUTPUT" fi - uses: dawidd6/action-download-artifact@v7 @@ -66,9 +66,9 @@ jobs: cat pr/ecosystem/ecosystem-result >> comment.txt echo "" >> comment.txt - echo 'comment<> $GITHUB_OUTPUT - cat comment.txt >> $GITHUB_OUTPUT - echo 'EOF' >> $GITHUB_OUTPUT + echo 'comment<> "$GITHUB_OUTPUT" + cat comment.txt >> "$GITHUB_OUTPUT" + echo 'EOF' >> "$GITHUB_OUTPUT" - name: Find existing comment uses: peter-evans/find-comment@v3 diff --git a/.github/workflows/publish-docs.yml b/.github/workflows/publish-docs.yml index 0316b256a5..108d4e28fd 100644 --- a/.github/workflows/publish-docs.yml +++ b/.github/workflows/publish-docs.yml @@ -44,8 +44,8 @@ jobs: # Use version as display name for now display_name="$version" - echo "version=$version" >> $GITHUB_ENV - echo "display_name=$display_name" >> $GITHUB_ENV + echo "version=$version" >> "$GITHUB_ENV" + echo "display_name=$display_name" >> "$GITHUB_ENV" - name: "Set branch name" run: | @@ -55,8 +55,8 @@ jobs: # characters disallowed in git branch names with hyphens branch_display_name="$(echo "${display_name}" | tr -c '[:alnum:]._' '-' | tr -s '-')" - echo "branch_name=update-docs-$branch_display_name-$timestamp" >> $GITHUB_ENV - echo "timestamp=$timestamp" >> $GITHUB_ENV + echo "branch_name=update-docs-$branch_display_name-$timestamp" >> "$GITHUB_ENV" + echo "timestamp=$timestamp" >> "$GITHUB_ENV" - name: "Add SSH key" if: ${{ env.MKDOCS_INSIDERS_SSH_KEY_EXISTS == 'true' }} @@ -112,7 +112,7 @@ jobs: GITHUB_TOKEN: ${{ secrets.ASTRAL_DOCS_PAT }} run: | # set the PR title - pull_request_title="Update ruff documentation for "${display_name}"" + pull_request_title="Update ruff documentation for ${display_name}" # Delete any existing pull requests that are open for this version # by checking against pull_request_title because the new PR will @@ -124,10 +124,12 @@ jobs: git push origin "${branch_name}" # create the PR - gh pr create --base main --head "${branch_name}" \ - --title "$pull_request_title" \ - --body "Automated documentation update for "${display_name}"" \ - --label "documentation" + gh pr create \ + --base=main \ + --head="${branch_name}" \ + --title="${pull_request_title}" \ + --body="Automated documentation update for ${display_name}" \ + --label="documentation" - name: "Merge Pull Request" if: ${{ inputs.plan != '' && !fromJson(inputs.plan).announcement_tag_is_implicit }} diff --git a/.github/workflows/sync_typeshed.yaml b/.github/workflows/sync_typeshed.yaml index 467f1a8574..d1785034e1 100644 --- a/.github/workflows/sync_typeshed.yaml +++ b/.github/workflows/sync_typeshed.yaml @@ -59,7 +59,7 @@ jobs: run: | cd ruff git push --force origin typeshedbot/sync-typeshed - gh pr list --repo $GITHUB_REPOSITORY --head typeshedbot/sync-typeshed --json id --jq length | grep 1 && exit 0 # exit if there is existing pr + gh pr list --repo "$GITHUB_REPOSITORY" --head typeshedbot/sync-typeshed --json id --jq length | grep 1 && exit 0 # exit if there is existing pr gh pr create --title "Sync vendored typeshed stubs" --body "Close and reopen this PR to trigger CI" --label "internal" create-issue-on-failure: diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index 3339893e32..5452fd1327 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -100,5 +100,23 @@ repos: hooks: - id: check-github-workflows + # `actionlint` hook, for verifying correct syntax in GitHub Actions workflows. + # Some additional configuration for `actionlint` can be found in `.github/actionlint.yaml`. + - repo: https://github.com/rhysd/actionlint + rev: v1.7.4 + hooks: + - id: actionlint + # `release.yml` is autogenerated by `dist`; issues need to be fixed there + # (https://opensource.axo.dev/cargo-dist/) + exclude: .github/workflows/release.yml + args: + - "-ignore=SC2129" # ignorable stylistic lint from shellcheck + - "-ignore=SC2016" # another shellcheck lint: seems to have false positives? + additional_dependencies: + # actionlint has a shellcheck integration which extracts shell scripts in `run:` steps from GitHub Actions + # and checks these with shellcheck. This is arguably its most useful feature, + # but the integration only works if shellcheck is installed + - "github.com/wasilibs/go-shellcheck/cmd/shellcheck@v0.10.0" + ci: skip: [cargo-fmt, dev-generate-all]