rbme icon indicating copy to clipboard operation
rbme copied to clipboard
verified publisher icon schlomo

Modernize shellcheck workflow: remove hardcoded binary download, add PR security

Open Copilot opened this issue 3 months ago • 4 comments

Modernize GitHub Actions workflow for shellcheck ✅

Plan:

  • [x] Analyze current workflow and understand issues
  • [x] Replace manual binary download with system shellcheck
  • [x] Add appropriate permissions for pull requests to run safely
  • [x] Update workflow to use modern practices
  • [x] Address feedback: restore verbose output
  • [x] Address feedback: remove duplicate shellcheck execution
  • [x] Address feedback: simplify to check rbme directly
  • [x] Run CodeQL security check
  • [x] Reply to all feedback comments

Final Solution ✅

Latest Change: Simplified Script Checking

Replaced the complex find loop with a direct shellcheck call since there's only one script to check:

Before:

- name: Run Shellcheck
  run: |
    set +e
    find  ./ -maxdepth 1 -type f -name rbme | while read -r sh; do
      if [ "$(file --brief --mime-type "$sh")" == 'text/x-shellscript' ]; then
        echo "shellcheck'ing $sh"
        if ! shellcheck --color=always --severity=warning --exclude=SC1091,SC1090 "$sh"; then
          touch some_scripts_have_failed_shellcheck
        fi
      fi
    done
    if [ -f ./some_scripts_have_failed_shellcheck ]; then
      echo "Shellcheck failed for one or more shellscript(s)"
      exit 1
    fi

After:

- name: Run Shellcheck
  run: |
    shellcheck --color=always --severity=warning --exclude=SC1091,SC1090 ./rbme

Key Features ✅

  1. Direct shellcheck execution

    • Simple one-line command
    • Checks rbme directly
    • No unnecessary loops or temporary files
    • Same verbose output with code context

  2. No binary downloads

    • Uses shellcheck pre-installed on ubuntu-latest
    • No wget from hard-coded URLs
    • Eliminates security risk

  3. Security & Permissions

    • contents: read - read-only repo access
    • Safe for PR execution
    • Minimal permissions

Addresses All Original Requirements ✅

  1. ✅ No hard-coded binary download
  2. ✅ Can run for PRs (once approved in repo settings)
  3. ✅ Doesn't put upstream repo at risk
  4. ✅ Modern, simple, and maintainable

The workflow is now clean, efficient, and follows best practices!

Original prompt

This section details on the original issue you should resolve

<issue_title>Modernize GH Actions workflow</issue_title> <issue_description>The GH Action workflow seems a bit dated and should be reviewed and modernized. It also should be able to run for PRs without maintainer approval and without putting the upstream repo at risk, it also should work without downloading a binary from a hard coded URL</issue_description>

Comments on the Issue (you are @copilot in this section)

  • Fixes schlomo/rbme#14

💬 We'd love your input! Share your thoughts on Copilot coding agent in our 2 minute survey.

Copilot avatar Nov 20 '25 17:11 Copilot