1+ name : Shell Script Validation
2+
3+ on :
4+ push :
5+ branches : [ main ]
6+ pull_request :
7+
8+ jobs :
9+ validate-shell-scripts :
10+ runs-on : ubuntu-latest
11+ name : Validate Shell Scripts
12+
13+ steps :
14+ - name : Checkout repository
15+ uses : actions/checkout@v4
16+
17+ - name : Install shellcheck
18+ run : |
19+ sudo apt-get update
20+ sudo apt-get install -y shellcheck
21+
22+ - name : Install shfmt
23+ run : |
24+ curl -L -o shfmt https://github.com/mvdan/sh/releases/latest/download/shfmt_v3.7.0_linux_amd64
25+ chmod +x shfmt
26+ sudo mv shfmt /usr/local/bin/
27+
28+ - name : Find shell scripts
29+ id : find-scripts
30+ run : |
31+ echo "Found shell scripts:"
32+ find scripts/ -type f -executable -o -name "*.sh" | tee scripts-list.txt
33+ # Also check files with shell shebangs
34+ find scripts/ -type f -exec grep -l '^#!/bin/sh\|^#!/bin/bash\|^#!/usr/bin/env sh\|^#!/usr/bin/env bash' {} \; | tee -a scripts-list.txt
35+ sort -u scripts-list.txt > unique-scripts.txt
36+ mv unique-scripts.txt scripts-list.txt
37+ cat scripts-list.txt
38+
39+ - name : POSIX Compliance Check (shellcheck)
40+ run : |
41+ echo "Running shellcheck for POSIX compliance..."
42+ exit_code=0
43+ while IFS= read -r script; do
44+ if [ -f "$script" ]; then
45+ echo "Checking $script..."
46+ if ! shellcheck -s sh -e SC1091 -e SC2039 "$script"; then
47+ echo "❌ $script failed POSIX compliance check"
48+ exit_code=1
49+ else
50+ echo "✅ $script passed POSIX compliance check"
51+ fi
52+ echo "---"
53+ fi
54+ done < scripts-list.txt
55+ exit $exit_code
56+
57+ - name : Shell Script Linting (shellcheck extended)
58+ run : |
59+ echo "Running extended shellcheck analysis..."
60+ exit_code=0
61+ while IFS= read -r script; do
62+ if [ -f "$script" ]; then
63+ echo "Linting $script..."
64+ if ! shellcheck -f gcc "$script"; then
65+ echo "❌ $script failed extended linting"
66+ exit_code=1
67+ else
68+ echo "✅ $script passed extended linting"
69+ fi
70+ echo "---"
71+ fi
72+ done < scripts-list.txt
73+ exit $exit_code
74+
75+ - name : Executable Permissions Check
76+ run : |
77+ echo "Checking executable permissions..."
78+ exit_code=0
79+ while IFS= read -r script; do
80+ if [ -f "$script" ]; then
81+ if [ ! -x "$script" ]; then
82+ echo "⚠️ $script is not executable"
83+ exit_code=1
84+ else
85+ echo "✅ $script has correct executable permissions"
86+ fi
87+ fi
88+ done < scripts-list.txt
89+ exit $exit_code
90+
91+ - name : Shebang Validation
92+ run : |
93+ echo "Validating shebangs..."
94+ exit_code=0
95+ while IFS= read -r script; do
96+ if [ -f "$script" ]; then
97+ first_line=$(head -n1 "$script")
98+ case "$first_line" in
99+ "#!/bin/sh"|"#!/usr/bin/env sh")
100+ echo "✅ $script has valid POSIX shebang: $first_line"
101+ ;;
102+ "#!/bin/bash"|"#!/usr/bin/env bash")
103+ echo "⚠️ $script uses bash shebang (not POSIX): $first_line"
104+ ;;
105+ "#!"*)
106+ echo "❌ $script has non-standard shebang: $first_line"
107+ exit_code=1
108+ ;;
109+ *)
110+ echo "❌ $script missing shebang"
111+ exit_code=1
112+ ;;
113+ esac
114+ fi
115+ done < scripts-list.txt
116+ exit $exit_code
117+
118+ - name : Security Scan (basic)
119+ run : |
120+ echo "Running basic security checks..."
121+ exit_code=0
122+ while IFS= read -r script; do
123+ if [ -f "$script" ]; then
124+ echo "Security scanning $script..."
125+
126+ # Check for potentially dangerous patterns
127+ if grep -n "eval\|exec\|system\|curl.*|.*sh\|wget.*|.*sh" "$script" | grep -v "^#"; then
128+ echo "⚠️ $script contains potentially dangerous patterns"
129+ fi
130+
131+ # Check for hardcoded credentials patterns
132+ if grep -ni "password\|secret\|token\|key" "$script" | grep -v "^#" | grep "="; then
133+ echo "⚠️ $script may contain hardcoded credentials"
134+ fi
135+
136+ # Check for unquoted variables
137+ if grep -n '\$[A-Za-z_][A-Za-z0-9_]*[^A-Za-z0-9_"]' "$script" | grep -v "^#"; then
138+ echo "⚠️ $script has potentially unquoted variables"
139+ fi
140+
141+ echo "✅ Basic security scan completed for $script"
142+ echo "---"
143+ fi
144+ done < scripts-list.txt
145+ exit $exit_code
146+
147+ - name : Summary Report
148+ if : always()
149+ run : |
150+ echo "=== Shell Script Validation Summary ==="
151+ echo "Scripts validated:"
152+ cat scripts-list.txt | wc -l
153+ echo ""
154+ echo "Validation completed. Check individual step results above for details."
0 commit comments