From 77aa1ef1b840ab407a29f644641922f5385b48e0 Mon Sep 17 00:00:00 2001 From: sebthom Date: Tue, 20 May 2025 23:46:59 +0200 Subject: [PATCH] fix: address shellcheck findings --- build-image.sh | 30 ++++++++++++++++-------------- image/fix_permissions.sh | 37 +++++++++++++++++++------------------ image/run.sh | 28 +++++++++++++++------------- image/run_runner.sh | 16 ++++++++++------ 4 files changed, 60 insertions(+), 51 deletions(-) diff --git a/build-image.sh b/build-image.sh index 2d06952..4fb4e99 100644 --- a/build-image.sh +++ b/build-image.sh @@ -9,8 +9,9 @@ function curl() { command curl -sSfL --connect-timeout 10 --max-time 30 --retry 3 --retry-all-errors "$@" } -shared_lib="$(dirname $0)/.shared" -[ -e "$shared_lib" ] || curl https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s) | bash -s v1 "$shared_lib" || exit 1 +shared_lib="$(dirname "${BASH_SOURCE[0]}")/.shared" +[[ -e $shared_lib ]] || curl "https://raw.githubusercontent.com/vegardit/docker-shared/v1/download.sh?_=$(date +%s)" | bash -s v1 "$shared_lib" || exit 1 +# shellcheck disable=SC1091 # Not following: $shared_lib/lib/build-image-init.sh was not specified as input source "$shared_lib/lib/build-image-init.sh" @@ -69,42 +70,43 @@ echo " docker buildx version # ensures buildx is enabled docker buildx create --config /etc/buildkitd.toml --use # prevents: error: multiple platforms feature is currently not supported for docker driver. Please switch to a different driver (eg. "docker buildx create --use") +# shellcheck disable=SC2154,SC2046 # base_layer_cache_key is referenced but not assigned / Quote this to prevent word splitting docker buildx build "$project_root" \ --file "image/Dockerfile" \ --progress=plain \ --pull \ - --build-arg INSTALL_SUPPORT_TOOLS=${INSTALL_SUPPORT_TOOLS:-0} \ + --build-arg INSTALL_SUPPORT_TOOLS="${INSTALL_SUPPORT_TOOLS:-0}" \ `# using the current date as value for BASE_LAYER_CACHE_KEY, i.e. the base layer cache (that holds system packages with security updates) will be invalidate once per day` \ - --build-arg BASE_LAYER_CACHE_KEY=$base_layer_cache_key \ - --build-arg BUILD_DATE=$(date -u +"%Y-%m-%dT%H:%M:%SZ") \ + --build-arg BASE_LAYER_CACHE_KEY="$base_layer_cache_key" \ + --build-arg BUILD_DATE="$(date -u +"%Y-%m-%dT%H:%M:%SZ")" \ --build-arg GIT_BRANCH="${GIT_BRANCH:-$(git rev-parse --abbrev-ref HEAD)}" \ - --build-arg GIT_COMMIT_DATE="$(date -d @$(git log -1 --format='%at') --utc +'%Y-%m-%d %H:%M:%S UTC')" \ + --build-arg GIT_COMMIT_DATE="$(date -d "@$(git log -1 --format='%at')" --utc +'%Y-%m-%d %H:%M:%S UTC')" \ --build-arg GIT_COMMIT_HASH="$(git rev-parse --short HEAD)" \ --build-arg GIT_REPO_URL="$(git config --get remote.origin.url)" \ --build-arg GITEA_ACT_RUNNER_VERSION="$gitea_act_runner_effective_version" \ - --build-arg FLAVOR=$DOCKER_IMAGE_FLAVOR \ + --build-arg FLAVOR="$DOCKER_IMAGE_FLAVOR" \ $(if [[ "${ACT:-}" == "true" || "${DOCKER_PUSH:-}" != "true" ]]; then \ echo -n "--load --output type=docker"; \ else \ echo -n "--platform linux/amd64,linux/arm64,linux/arm/v7"; \ fi) \ - -t $image_name \ - -t $image_name2 \ + -t "$image_name" \ + -t "$image_name2" \ $(if [[ "${DOCKER_PUSH:-}" == "true" ]]; then echo -n "--push"; fi) \ "$@" docker buildx stop set +x if [[ "${DOCKER_PUSH:-}" == "true" ]]; then - docker image pull $image_name + docker image pull "$image_name" fi ################################################# # push image to ghcr.io ################################################# if [[ "${DOCKER_PUSH_GHCR:-}" == "true" ]]; then - (set -x; regctl image copy $image_name ghcr.io/$image_name) - (set -x; regctl image copy $image_name2 ghcr.io/$image_name2) + (set -x; regctl image copy "$image_name" "ghcr.io/$image_name") + (set -x; regctl image copy "$image_name2" "ghcr.io/$image_name2") fi @@ -113,7 +115,7 @@ fi ################################################# echo log INFO "Testing docker image [$image_name]..." -(set -x; docker run --rm $image_name act_runner --version) +(set -x; docker run --rm "$image_name" act_runner --version) echo @@ -122,5 +124,5 @@ echo ################################################# # TODO see https://gitea.com/gitea/act_runner/issues/513 if [[ "${DOCKER_AUDIT_IMAGE:-1}" == 1 && "$GITEA_ACT_RUNNER_VERSION" == "nightly" ]]; then - bash "$shared_lib/cmd/audit-image.sh" $image_name + bash "$shared_lib/cmd/audit-image.sh" "$image_name" fi diff --git a/image/fix_permissions.sh b/image/fix_permissions.sh index c9e60ad..e10b922 100644 --- a/image/fix_permissions.sh +++ b/image/fix_permissions.sh @@ -4,7 +4,8 @@ # SPDX-FileContributor: Sebastian Thomschke # SPDX-License-Identifier: Apache-2.0 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner -# + +# shellcheck disable=SC1091 # Not following: /opt/bash-init.sh was not specified as input source /opt/bash-init.sh act_user=act @@ -12,32 +13,32 @@ act_user=act ################################################################# # Adjust UID/GID and file permissions based on env var config ################################################################# -if [ -n "${GITEA_RUNNER_UID:-}" ]; then - effective_uid=$(id -u $act_user) +if [[ -n ${GITEA_RUNNER_UID:-} ]]; then + effective_uid=$(id -u "$act_user") if [ "$GITEA_RUNNER_UID" != "$effective_uid" ]; then log INFO "Changing UID of user [$act_user] from $effective_uid to $GITEA_RUNNER_UID..." # workaround for: # usermod -o -u "$GITEA_RUNNER_UID" $act_user # failing with "usermod: user act is currently used by process 1" because of /usr/bin/tini process - effective_gid=$(id -g $act_user) + effective_gid=$(id -g "$act_user") sed -i "s/^$act_user:x:$effective_uid:$effective_gid/$act_user:x:$GITEA_RUNNER_UID:$effective_gid/" /etc/passwd act_home=$(eval echo "~$act_user") - chown $GITEA_RUNNER_UID "$act_home" - find "$act_home" -user $effective_uid -exec chown $GITEA_RUNNER_UID {} \; + chown "$GITEA_RUNNER_UID" "$act_home" + find "$act_home" -user "$effective_uid" -exec chown "$GITEA_RUNNER_UID" {} \; fi fi -if [ -n "${GITEA_RUNNER_GID:-}" ]; then - effective_gid=$(id -g $act_user) +if [[ -n ${GITEA_RUNNER_GID:-} ]]; then + effective_gid=$(id -g "$act_user") if [ "$GITEA_RUNNER_GID" != "$effective_gid" ]; then log INFO "Changing GID of user [$act_user] from $effective_gid to $GITEA_RUNNER_GID..." groupmod -o -g "$GITEA_RUNNER_GID" $act_user act_home=$(eval echo "~$act_user") - chown :$GITEA_RUNNER_GID "$act_home" - find "$act_home" -group $effective_gid -exec chgrp $GITEA_RUNNER_GID {} \; + chown ":$GITEA_RUNNER_GID" "$act_home" + find "$act_home" -group "$effective_gid" -exec chgrp "$GITEA_RUNNER_GID" {} \; fi fi @@ -48,18 +49,18 @@ fi if [[ $DOCKER_MODE != "dind-rootless" ]]; then if [[ $GITEA_RUNNER_JOB_CONTAINER_DOCKER_HOST == unix://* ]]; then docker_sock=${GITEA_RUNNER_JOB_CONTAINER_DOCKER_HOST#unix://} - if runuser -u $act_user -- [ ! -r $docker_sock ] || runuser -u $act_user -- [ ! -w $docker_sock ]; then - docker_group=$(stat -c '%G' $docker_sock) + if runuser -u "$act_user" -- [ ! -r "$docker_sock" ] || runuser -u "$act_user" -- [ ! -w "$docker_sock" ]; then + docker_group=$(stat -c '%G' "$docker_sock") if [[ $docker_group == "UNKNOWN" ]]; then - docker_gid=$(stat -c '%g' $docker_sock) + docker_gid=$(stat -c '%g' "$docker_sock") docker_group="docker$docker_gid" log INFO "Creating group [$docker_group]..." - addgroup --gid $docker_gid $docker_group + addgroup --gid "$docker_gid" "$docker_group" fi - if ! id -nG $act_user | grep -qw "$docker_group"; then - log INFO "Adding user [$act_user] to docker group [$(getent group $docker_group)]..." - usermod -aG $docker_group $act_user + if ! id -nG "$act_user" | grep -qw "$docker_group"; then + log INFO "Adding user [$act_user] to docker group [$(getent group "$docker_group")]..." + usermod -aG "$docker_group" "$act_user" fi fi fi @@ -69,4 +70,4 @@ fi ################################################################# # Launch the runner via act user with adjusted UID/GID/group membership ################################################################# -exec sudo -u $act_user -g $act_user -E bash /opt/run_runner.sh +exec sudo -u "$act_user" -g "$act_user" -E bash /opt/run_runner.sh diff --git a/image/run.sh b/image/run.sh index 7a65e36..b30149d 100644 --- a/image/run.sh +++ b/image/run.sh @@ -5,6 +5,7 @@ # SPDX-License-Identifier: Apache-2.0 # SPDX-ArtifactOfProjectHomePage: https://github.com/vegardit/docker-gitea-act-runner +# shellcheck disable=SC1091 # Not following: /opt/bash-init.sh was not specified as input source /opt/bash-init.sh ################################################################# @@ -23,7 +24,7 @@ EOF cat /opt/build_info echo - log INFO $(act_runner --version) + log INFO "$(act_runner --version)" log INFO "Timezone: $(date +"%Z %z")" log INFO "Hostname: $(hostname -f)" log INFO "IP Addresses: " @@ -40,17 +41,17 @@ if [[ -f /usr/bin/dockerd-rootless.sh ]]; then export DOCKER_MODE=dind-rootless log INFO "Starting Docker engine (rootless)..." export DOCKER_HOST=unix://$HOME/.docker/run/docker.sock - if [ ! -f $HOME/.config/docker/daemon.json ]; then + if [[ ! -f "$HOME/.config/docker/daemon.json" ]]; then # workaround for "Not using native diff for overlay2, this may cause degraded performance for building images: running in a user namespace storage-driver=overlay2" - mkdir -p $HOME/.config/docker - echo '{"storage-driver":"fuse-overlayfs"}' > $HOME/.config/docker/daemon.json + mkdir -p "$HOME/.config/docker" + echo '{"storage-driver":"fuse-overlayfs"}' > "$HOME/.config/docker/daemon.json" fi export container=docker # from dind-hack export XDG_RUNTIME_DIR=$HOME/.docker/run - mkdir -p $XDG_RUNTIME_DIR - rm -f $XDG_RUNTIME_DIR/docker.pid $XDG_RUNTIME_DIR/docker/containerd/containerd.pid - /usr/bin/dockerd-rootless.sh -p $HOME/.docker/run/docker.pid > "$HOME/.docker/docker.log" 2>&1 & + mkdir -p "$XDG_RUNTIME_DIR" + rm -f "$XDG_RUNTIME_DIR/docker.pid" "$XDG_RUNTIME_DIR/docker/containerd/containerd.pid" + /usr/bin/dockerd-rootless.sh -p "$HOME/.docker/run/docker.pid" > "$HOME/.docker/docker.log" 2>&1 & export DOCKER_PID=$! while ! docker stats --no-stream &>/dev/null; do log INFO "Waiting for Docker engine to start..." @@ -71,6 +72,7 @@ elif [[ -f /usr/bin/dockerd ]]; then sleep 2 tail -n 1 /var/log/docker.log done + # shellcheck disable=SC2155 # Declare and assign separately to avoid masking return values export DOCKER_PID=$(> "$effective_config_file" - done < $GITEA_RUNNER_CONFIG_TEMPLATE_FILE + done < "$GITEA_RUNNER_CONFIG_TEMPLATE_FILE" fi @@ -61,7 +64,7 @@ if [[ ! -s ${GITEA_RUNNER_REGISTRATION_FILE:-.runner} ]]; then log INFO " GITEA_RUNNER_NAME=$GITEA_RUNNER_NAME" log INFO " GITEA_RUNNER_REGISTRATION_TOKEN=${GITEA_RUNNER_REGISTRATION_TOKEN//?/*}" log INFO " GITEA_RUNNER_LABELS=$GITEA_RUNNER_LABELS" - wait_until=$(( $(date +%s) + $GITEA_RUNNER_REGISTRATION_TIMEOUT )) + wait_until=$(( $(date +%s) + GITEA_RUNNER_REGISTRATION_TIMEOUT )) while true; do if act_runner register \ --instance "$GITEA_INSTANCE_URL" \ @@ -84,6 +87,7 @@ fi ################################################# # unset all variables named GITEA_... to prevent deprecation warning ################################################# +# shellcheck disable=SC2046 # Quote this to prevent word splitting unset $(env | grep "^GITEA_" | cut -d= -f1) @@ -97,13 +101,13 @@ case $DOCKER_MODE in function shutdown_act() { log INFO "Stopping act_runner..." - kill -SIGTERM $act_runner_pid || true + kill -SIGTERM "$act_runner_pid" || true } function shutdown_docker() { log INFO "Stopping docker engine..." if [[ $DOCKER_MODE == "dind-rootless" ]]; then - kill -SIGTERM $DOCKER_PID + kill -SIGTERM "$DOCKER_PID" else sudo service docker stop fi