From 3445c6df1a84ef69cd3438c94b7130a49c96a31f Mon Sep 17 00:00:00 2001 From: Christopher Horrell Date: Tue, 26 May 2026 13:41:06 -0400 Subject: [PATCH 1/3] Add pre-commit hooks actionlint, zizmor-pre-commit, gitleaks and pre-commit-hooks --- .pre-commit-config.yaml | 39 ++++++++++++++++++++++++++++++++------- 1 file changed, 32 insertions(+), 7 deletions(-) diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml index f74e217..acad499 100644 --- a/.pre-commit-config.yaml +++ b/.pre-commit-config.yaml @@ -1,9 +1,28 @@ repos: - - repo: https://github.com/koalaman/shellcheck-precommit - rev: v0.11.0 + - repo: https://github.com/rhysd/actionlint + rev: v1.7.9 hooks: - - id: shellcheck - files: \.(sh|bats)$ + - id: actionlint + + - repo: https://github.com/gitleaks/gitleaks + rev: v8.23.1 + hooks: + - id: gitleaks + + - repo: https://github.com/DavidAnson/markdownlint-cli2 + rev: v0.22.1 + hooks: + - id: markdownlint-cli2-docker + + - repo: https://github.com/pre-commit/pre-commit-hooks + rev: v6.0.0 + hooks: + - id: trailing-whitespace + - id: end-of-file-fixer + - id: check-yaml + - id: check-merge-conflict + - id: check-added-large-files + - id: mixed-line-ending - repo: https://github.com/scop/pre-commit-shfmt rev: v3.13.1-1 @@ -12,7 +31,13 @@ repos: args: [-sr, -i, '2', -w, -ci] files: \.(sh|bats)$ - - repo: https://github.com/DavidAnson/markdownlint-cli2 - rev: v0.22.1 + - repo: https://github.com/koalaman/shellcheck-precommit + rev: v0.11.0 hooks: - - id: markdownlint-cli2-docker + - id: shellcheck + files: \.(sh|bats)$ + + - repo: https://github.com/woodruffw/zizmor-pre-commit + rev: v1.9.0 + hooks: + - id: zizmor From f6e9286cc62f3c418c8034a072c35e568c7aa0f8 Mon Sep 17 00:00:00 2001 From: Christopher Horrell Date: Tue, 26 May 2026 13:41:53 -0400 Subject: [PATCH 2/3] Add/fix trailing new line --- .editorconfig | 2 +- .github/dependabot.yml | 1 - 2 files changed, 1 insertion(+), 2 deletions(-) diff --git a/.editorconfig b/.editorconfig index 37d38bb..0f17867 100644 --- a/.editorconfig +++ b/.editorconfig @@ -6,4 +6,4 @@ end_of_line = lf indent_size = 2 indent_style = space insert_final_newline = true -trim_trailing_whitespace = true \ No newline at end of file +trim_trailing_whitespace = true diff --git a/.github/dependabot.yml b/.github/dependabot.yml index 6593ffa..efec4aa 100644 --- a/.github/dependabot.yml +++ b/.github/dependabot.yml @@ -28,4 +28,3 @@ updates: include: "scope" cooldown: default-days: 7 - From 6bb1dd1589ecc456f7d1fe7f820decf7b5550db6 Mon Sep 17 00:00:00 2001 From: Christopher Horrell Date: Tue, 26 May 2026 16:19:26 -0400 Subject: [PATCH 3/3] ci: fix shellcheck findings in workflow files Quote variable expansions to satisfy SC2086 and use ./*.glob pattern to satisfy SC2035 in actionlint checks. --- .github/workflows/dockerimage.yml | 6 +++--- .github/workflows/linting.yml | 2 +- .github/workflows/update-current-image.yml | 12 ++++++------ 3 files changed, 10 insertions(+), 10 deletions(-) diff --git a/.github/workflows/dockerimage.yml b/.github/workflows/dockerimage.yml index 9a058fd..714d0df 100644 --- a/.github/workflows/dockerimage.yml +++ b/.github/workflows/dockerimage.yml @@ -54,7 +54,7 @@ jobs: ccache -p - name: Get latest node version - run: echo "LATEST_VERSION=$(curl -fsSLo- --compressed https://nodejs.org/dist/index.json | jq '.[].version' | tr -d '"' | tr -d 'v' | head -1)" >> $GITHUB_ENV + run: echo "LATEST_VERSION=$(curl -fsSLo- --compressed https://nodejs.org/dist/index.json | jq '.[].version' | tr -d '"' | tr -d 'v' | head -1)" >> "$GITHUB_ENV" - name: Display Node Version run: | @@ -64,9 +64,9 @@ jobs: run: | export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH" which gcc - ./build.sh -n $LATEST_VERSION + ./build.sh -n "$LATEST_VERSION" ccache -s - cp node-v$LATEST_VERSION/out/Release/node node + cp "node-v${LATEST_VERSION}/out/Release/node" node - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 diff --git a/.github/workflows/linting.yml b/.github/workflows/linting.yml index 29e9ecb..f16a54e 100644 --- a/.github/workflows/linting.yml +++ b/.github/workflows/linting.yml @@ -42,7 +42,7 @@ jobs: - name: Shellcheck run: | - shellcheck *.sh + shellcheck ./*.sh shellcheck test/*.bats markdownlint: diff --git a/.github/workflows/update-current-image.yml b/.github/workflows/update-current-image.yml index 9e0c154..fe3c427 100644 --- a/.github/workflows/update-current-image.yml +++ b/.github/workflows/update-current-image.yml @@ -47,7 +47,7 @@ jobs: else NODE_VERSION=$(./check-missing-versions.sh | tail -1) fi - echo "NODE_VERSION=$NODE_VERSION" >> $GITHUB_OUTPUT + echo "NODE_VERSION=$NODE_VERSION" >> "$GITHUB_OUTPUT" if [[ -n "$NODE_VERSION" ]]; then echo "Building Node.js version: $NODE_VERSION" else @@ -99,17 +99,17 @@ jobs: - name: Set and Display Versions run: | - MAJOR_VERSION=$(echo $NODE_VERSION | cut -d'.' -f 1) - echo "MAJOR_VERSION=$MAJOR_VERSION" >> $GITHUB_ENV + MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d'.' -f 1) + echo "MAJOR_VERSION=$MAJOR_VERSION" >> "$GITHUB_ENV" echo "Building Node.js version: $NODE_VERSION (major: $MAJOR_VERSION)" - name: Build Node run: | export PATH="/usr/lib/ccache:/usr/local/opt/ccache/libexec:$PATH" which gcc - ./build.sh -n $NODE_VERSION + ./build.sh -n "$NODE_VERSION" ccache -s - cp node-v$NODE_VERSION/out/Release/node node + cp "node-v${NODE_VERSION}/out/Release/node" node - name: Set up Docker Buildx uses: docker/setup-buildx-action@d7f5e7f509e45cec5c76c4d5afdd7de93d0b3df5 # v4.1.0 @@ -181,7 +181,7 @@ jobs: password: ${{ secrets.GITHUB_TOKEN }} - name: Set major version - run: echo "MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d'.' -f 1)" >> $GITHUB_ENV + run: echo "MAJOR_VERSION=$(echo "$NODE_VERSION" | cut -d'.' -f 1)" >> "$GITHUB_ENV" - name: Create DockerHub multi-arch manifests env: