dev-machine-guard/.github/workflows/shellcheck.yml at main · step-security/dev-machine-guard · GitHub

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
name: ShellCheck

on:
  push:
    branches: [main]
    paths:
      - '*.sh'
  pull_request:
    branches: [main]
    paths:
      - '*.sh'

permissions: {}

jobs:
  shellcheck:
    permissions:
      contents: read  # for actions/checkout to fetch code
    name: ShellCheck
    runs-on: ubuntu-latest
    steps:
      - name: Harden the runner (Audit all outbound calls)
        uses: step-security/harden-runner@a90bcbc6539c36a85cdfeb73f7e2f433735f215b # v2.15.0
        with:
          egress-policy: audit

      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1

      - name: Run ShellCheck
        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # 2.0.0
        env:
          # SC2155: "Declare and assign separately" - suppressed because the script
          #   uses `local var=$(...)` extensively for readability. The exit codes from
          #   these assignments are intentionally not checked (failures are handled
          #   by downstream empty-string checks instead).
          # SC2034: "Variable appears unused" - suppressed because detection arrays
          #   and config variables are read via IFS splitting and indirect expansion,
          #   which ShellCheck cannot trace.
          SHELLCHECK_OPTS: '--exclude=SC2155,SC2034'
        with:
          scandir: '.'
          severity: warning