Refactor shell scripts

nhs-england-tools · Oct 6, 2023 · a4517db · a4517db
1 parent 5f28100
commit a4517db
Show file tree

Hide file tree

Showing 16 changed files with 157 additions and 111 deletions.
diff --git a/.github/actions/check-markdown-format/action.yaml b/.github/actions/check-markdown-format/action.yaml
@@ -7,4 +7,4 @@ runs:
       shell: bash
       run: |
         export BRANCH_NAME=origin/${{ github.event.repository.default_branch }}
-        ./scripts/githooks/check-markdown-format.sh
+        check=branch ./scripts/githooks/check-markdown-format.sh
diff --git a/.github/actions/scan-secrets/action.yaml b/.github/actions/scan-secrets/action.yaml
@@ -6,5 +6,5 @@ runs:
     - name: "Scan secrets"
       shell: bash
       run: |
-        export ALL_FILES=true # Do not change this line, as new patterns may be added or history may be rewritten
-        ./scripts/githooks/scan-secrets.sh
+        # Please, do not change it, as new patterns may be added or history may be rewritten.
+        check=whole-history ./scripts/githooks/scan-secrets.sh
diff --git a/README.md b/README.md
@@ -48,7 +48,8 @@ The following software packages, or their equivalents, are expected to be instal
 - [docker](https://www.docker.com/) container runtime or a compatible tool, e.g. [podman](https://podman.io/),
 - [asdf](https://asdf-vm.com/) version manager,
 - [GNU make](https://www.gnu.org/software/make/) 3.82 or later,
-- [GNU coreutils](https://www.gnu.org/software/coreutils/) and [GNU binutils](https://www.gnu.org/software/binutils/) may be required to build dependencies like Python, which may need to be compiled during installation. For macOS users, this has been scripted and automated by the `dotfiles` project; please see this [script](https://github.com/nhs-england-tools/dotfiles/blob/main/assets/20-install-base-packages.macos.sh) for details.
+- [GNU coreutils](https://www.gnu.org/software/coreutils/) and [GNU binutils](https://www.gnu.org/software/binutils/) may be required to build dependencies like Python, which may need to be compiled during installation. For macOS users, this has been scripted and automated by the `dotfiles` project; please see this [script](https://github.com/nhs-england-tools/dotfiles/blob/main/assets/20-install-base-packages.macos.sh) for details,
+- [jq](https://jqlang.github.io/jq/) a lightweight and flexible command-line JSON processor.
 
 > [!NOTE]<br>
 > The version of GNU make available by default on macOS is earlier than 3.82. You will need to upgrade it or certain `make` tasks will fail. On macOS, you will need [homebrew](https://brew.sh/) installed, then to install `make`, like so:

diff --git a/scripts/config/pre-commit.yaml b/scripts/config/pre-commit.yaml
@@ -4,6 +4,7 @@ repos:
   - id: scan-secrets
     name: Scan Secrets
     entry: ./scripts/githooks/scan-secrets.sh
+    args: ["check=staged-changes"]
     language: script
     pass_filenames: false
 - repo: local
@@ -19,6 +20,7 @@ repos:
   - id: check-markdown-format
     name: Check Markdown Format
     entry: ./scripts/githooks/check-markdown-format.sh
+    args: ["check=staged-changes"]
     language: script
     pass_filenames: false
 - repo: local

diff --git a/scripts/docker/dockerfile-linter.sh b/scripts/docker/dockerfile-linter.sh
@@ -46,7 +46,8 @@ function docker-run-hadolint() {
   # shellcheck disable=SC1091
   source ./scripts/docker/docker.lib.sh
 
-  image=$(name=hadolint/hadolint docker-get-image-version-and-pull)
+  # shellcheck disable=SC2155
+  local image=$(name=hadolint/hadolint docker-get-image-version-and-pull)
   # shellcheck disable=SC2001
   docker run --rm --platform linux/amd64 \
     --volume "$PWD:/workdir" \

diff --git a/scripts/docker/tests/docker.test.sh b/scripts/docker/tests/docker.test.sh
@@ -144,7 +144,7 @@ function test-docker-get-image-version-and-pull() {
 
 # ==============================================================================
 
-function is_arg_true() {
+function is-arg-true() {
 
   if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
     return 0
@@ -155,7 +155,7 @@ function is_arg_true() {
 
 # ==============================================================================
 
-is_arg_true "${VERBOSE:-false}" && set -x
+is-arg-true "${VERBOSE:-false}" && set -x
 
 main "$@"
 

diff --git a/scripts/githooks/check-file-format.sh b/scripts/githooks/check-file-format.sh
@@ -1,6 +1,8 @@
 #!/bin/bash
 
-set +e
+# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
 
 # Pre-commit git hook to check the EditorConfig rules compliance over changed
 # files. It ensures all non-binary files across the codebase are formatted
@@ -17,7 +19,6 @@ set +e
 #   0 - All files are formatted correctly
 #   1 - Files are not formatted correctly
 #
-#
 # The `check` parameter controls which files are checked, so you can
 # limit the scope of the check according to what is appropriate at the
 # point the check is being applied.
@@ -45,9 +46,10 @@ image_version=2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2
 
 function main() {
 
-  cd $(git rev-parse --show-toplevel)
+  cd "$(git rev-parse --show-toplevel)"
 
-  is-arg-true "$dry_run" && dry_run_opt="--dry-run"
+  # shellcheck disable=SC2154
+  is-arg-true "${dry_run:-false}" && dry_run_opt="--dry-run"
 
   check=${check:-working-tree-changes}
   case $check in
@@ -68,16 +70,17 @@ function main() {
       ;;
   esac
 
-
   # We use /dev/null here as a backstop in case there are no files in the state
-  # we choose.  If the filter comes back empty, adding `/dev/null` onto it has
+  # we choose. If the filter comes back empty, adding `/dev/null` onto it has
   # the effect of preventing `ec` from treating "no files" as "all the files".
   docker run --rm --platform linux/amd64 \
-    --volume=$PWD:/check \
+    --volume "$PWD":/check \
     mstruebing/editorconfig-checker:$image_version \
-      sh -c "ec --exclude '.git/' $dry_run_opt \$($filter) /dev/null"
+      sh -c "ec --exclude '.git/' ${dry_run_opt:-} \$($filter) /dev/null"
 }
 
+# ==============================================================================
+
 function is-arg-true() {
 
   if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
@@ -89,9 +92,8 @@ function is-arg-true() {
 
 # ==============================================================================
 
+is-arg-true "${VERBOSE:-false}" && set -x
 
-is-arg-true "$VERBOSE" && set -x
-
-main $*
+main "$@"
 
 exit 0
diff --git a/scripts/githooks/check-markdown-format.sh b/scripts/githooks/check-markdown-format.sh
@@ -1,16 +1,17 @@
 #!/bin/bash
 
-set -e
+# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
 
 # Pre-commit git hook to check the Markdown file formatting rules compliance
 # over changed files.
 #
 # Usage:
-#   $ ./check-markdown-format.sh
+#   $ check={all,staged-changes,working-tree-changes,branch} ./check-markdown-format.sh
 #
 # Options:
 #   BRANCH_NAME=other-branch-than-main  # Branch to compare with, default is `origin/main`
-#   ALL_FILES=true                      # Check all files, default is `false`
 #   VERBOSE=true                        # Show all the executed commands, default is `false`
 #
 # Exit codes:
@@ -27,31 +28,42 @@ set -e
 # ==============================================================================
 
 # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli, use the `linux/amd64` os/arch
-image_version=v0.35.0@sha256:4ec089301e2e3e1298424f4d2b5d9e18af3aa005402590770c339b6637100dc6
+image_version=v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d
 
 # ==============================================================================
 
 function main() {
 
-  cd $(git rev-parse --show-toplevel)
+  cd "$(git rev-parse --show-toplevel)"
 
-  if is-arg-true "$ALL_FILES"; then
-    # Check all files
-    files="$(find ./ -type f -name "*.md")"
-  else
-    # Check changed files only
-    files="$( (git diff --diff-filter=ACMRT --name-only ${BRANCH_NAME:-origin/main} "*.md"; git diff --name-only "*.md") | sort | uniq )"
-  fi
+  check=${check:-working-tree-changes}
+  case $check in
+    "all")
+      files="$(find ./ -type f -name "*.md")"
+      ;;
+    "staged-changes")
+      files="$(git diff --diff-filter=ACMRT --name-only --cached "*.md")"
+      ;;
+    "working-tree-changes")
+      files="$(git diff --diff-filter=ACMRT --name-only "*.md")"
+      ;;
+    "branch")
+      files="$( (git diff --diff-filter=ACMRT --name-only "${BRANCH_NAME:-origin/main}" "*.md"; git diff --name-only "*.md") | sort | uniq )"
+      ;;
+  esac
 
   if [ -n "$files" ]; then
+    # shellcheck disable=SC2086
     docker run --rm --platform linux/amd64 \
-      --volume $PWD:/workdir \
+      --volume "$PWD":/workdir \
       ghcr.io/igorshubovych/markdownlint-cli:$image_version \
         $files \
         --config /workdir/scripts/config/markdownlint.yaml
   fi
 }
 
+# ==============================================================================
+
 function is-arg-true() {
 
   if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
@@ -63,8 +75,8 @@ function is-arg-true() {
 
 # ==============================================================================
 
-is-arg-true "$VERBOSE" && set -x
+is-arg-true "${VERBOSE:-false}" && set -x
 
-main $*
+main "$@"
 
 exit 0
diff --git a/scripts/githooks/check-terraform-format.sh b/scripts/githooks/check-terraform-format.sh
@@ -18,7 +18,7 @@ set -euo pipefail
 
 function main() {
 
-  cd $(git rev-parse --show-toplevel)
+  cd "$(git rev-parse --show-toplevel)"
 
   local check_only=${check_only:-false}
   check_only=$check_only terraform-fmt
@@ -36,6 +36,8 @@ function terraform-fmt() {
   opts=$opts make terraform-fmt
 }
 
+# ==============================================================================
+
 function is-arg-true() {
 
   if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then

diff --git a/scripts/githooks/scan-secrets.sh b/scripts/githooks/scan-secrets.sh
@@ -1,15 +1,16 @@
 #!/bin/bash
 
-set -e
+# WARNING: Please, DO NOT edit this file! It is maintained in the Repository Template (https://github.com/nhs-england-tools/repository-template). Raise a PR instead.
+
+set -euo pipefail
 
 # Pre-commit git hook to scan for secrets hardcoded in the codebase.
 #
 # Usage:
-#   $ ./scan-secrets.sh
+#   $ check={whole-history,last-commit,staged-changes} ./scan-secrets.sh
 #
 # Options:
-#   ALL_FILES=true  # Scan whole git history or 'last-commit', default is `false`
-#   VERBOSE=true    # Show all the executed commands, default is `false`
+#   VERBOSE=true  # Show all the executed commands, default is `false`
 #
 # Exit codes:
 #   0 - No leaks present
@@ -19,38 +20,43 @@ set -e
 # ==============================================================================
 
 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks, use the `linux/amd64` os/arch
-image_version=v8.17.0@sha256:99e40155529614d09d264cc886c1326c9a4593ad851ccbeaaed8dcf03ff3d3d7
+image_version=v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9
 
 # ==============================================================================
 
 function main() {
 
-  cd $(git rev-parse --show-toplevel)
+  cd "$(git rev-parse --show-toplevel)"
 
-  if is_arg_true "$ALL_FILES"; then
-    # Scan whole git history
-    cmd="detect --source /scan --verbose --redact"
-  elif [ "$ALL_FILES" == "last-commit" ]; then
-    # Scan the last commit
-    cmd="detect --source /scan --verbose --redact --log-opts -1"
-  else
-    # Scan staged files only
-    cmd="protect --source /scan --verbose --staged"
-  fi
+  check=${check:-staged-changes}
+  case $check in
+    "whole-history")
+      cmd="detect --source /scan --verbose --redact"
+      ;;
+    "last-commit")
+      cmd="detect --source /scan --verbose --redact --log-opts -1"
+      ;;
+    "staged-changes")
+      cmd="protect --source /scan --verbose --staged"
+      ;;
+  esac
   # Include base line file if it exists
-  if [ -f $PWD/scripts/config/.gitleaks-baseline.json ]; then
+  if [ -f "$PWD/scripts/config/.gitleaks-baseline.json" ]; then
     cmd="$cmd --baseline-path /scan/scripts/config/.gitleaks-baseline.json"
   fi
 
+  # shellcheck disable=SC2086
   docker run --rm --platform linux/amd64 \
-    --volume $PWD:/scan \
+    --volume "$PWD":/scan \
     --workdir /scan \
     ghcr.io/gitleaks/gitleaks:$image_version \
       $cmd \
       --config /scan/scripts/config/gitleaks.toml
 }
 
-function is_arg_true() {
+# ==============================================================================
+
+function is-arg-true() {
 
   if [[ "$1" =~ ^(true|yes|y|on|1|TRUE|YES|Y|ON)$ ]]; then
     return 0
@@ -61,8 +67,8 @@ function is_arg_true() {
 
 # ==============================================================================
 
-is_arg_true "$VERBOSE" && set -x
+is-arg-true "${VERBOSE:-false}" && set -x
 
-main $*
+main "$@"
 
 exit 0