Add an option to check all executable scripts

[mislav]

By default, this action only checks extension-less executable scripts if they have a known shebang such as #!/usr/bin/env bash. The new option all_scripts: true relaxes the shebang regex pattern so that any executable scripts are checked by shellcheck.

This is suitable for repositories with scripts that have unusual shebangs, such as the HomeAssistant addons repository that contains dozens of scripts with shebangs like #!/usr/bin/with-contenv bashio that were not included in the shellcheck linting CI check: home-assistant/addons#3803 (comment)

I considered using additional_files for that repository, but there were many unique script names, and my idea was to ensure that all scripts are linted by default, even future ones added with unique names that someone might forget to add to additional_files.

Please let me know if a new action input approach I took here is acceptable. Thank you!

[coderabbitai]

📝 Walkthrough

📝 Walkthrough

Walkthrough

The changes introduce enhancements to the GitHub Actions workflow in .github/workflows/scandir.yml by adding a new job step for ShellCheck and a verification step to check for an unknown shebang in a specific file. Additionally, the configuration in action.yaml is updated to include a new input parameter all_scripts, allowing for the checking of all executable scripts. A new executable script file unknown-shebang is also created, featuring a shebang line and a simple echo command.

Changes

File	Change Summary
.github/workflows/scandir.yml	Added a new job step for ShellCheck (ID: three) with scandir parameter and all_scripts set to true. Added a verification step to check for testfiles/scandir/unknown-shebang.
action.yaml	Introduced a new input parameter all_scripts for checking all executable scripts and updated shebangregex logic accordingly.
testfiles/scandir/unknown-shebang	Added a shebang line (#!/usr/bin/with-contenv bashio) and an echo command (echo "hi").

Sequence Diagram(s)

sequenceDiagram
    participant Workflow
    participant ShellCheck
    participant Verification
    participant Script

    Workflow->>ShellCheck: Run ShellCheck with all_scripts=true
    ShellCheck-->>Workflow: Output results
    Workflow->>Verification: Check for unknown shebang in testfiles/scandir/unknown-shebang
    Verification-->>Workflow: Log error if not found
    Script->>ShellCheck: Execute unknown-shebang script
    ShellCheck-->>Script: Validate shebang and output

Loading

---

📜 Recent review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 5b1d02e and 03e95a9.

📒 Files selected for processing (1)

• .github/workflows/scandir.yml (1 hunks)

🔇 Additional comments (3)

.github/workflows/scandir.yml (3)

65-71: LGTM! The new ShellCheck step is well-structured.

The step correctly implements the new all_scripts option while maintaining consistency with existing steps.

---

72-79: 🛠️ Refactor suggestion

Consider enhancing the verification step for consistency and completeness.

While the step correctly references steps.three.outputs.files, consider these improvements:

1. Add a negative test case (notexpect) like other verify steps to ensure only intended files are included
2. Enhance error messages with actual output for easier debugging

Here's a suggested enhancement:

     - name: Verify check
       run: |
         expect="testfiles/scandir/unknown-shebang"
+        notexpect="testfiles/scandir/ignore/test.bash"
 
         if [[ ! "${{ steps.three.outputs.files }}" =~ $expect ]];then
-          echo "::error:: Expected file $expect not found in ${{ steps.three.outputs.files }}"
+          echo "::error:: Expected file '$expect' not found in output:"
+          echo "${{ steps.three.outputs.files }}"
           exit 1
+        elif [[ "${{ steps.three.outputs.files }}" =~ $notexpect ]];then
+          echo "::error:: Unexpected file '$notexpect' found in output:"
+          echo "${{ steps.three.outputs.files }}"
+          exit 1
         fi

Note: The previous suggestion about refactoring verification steps into a reusable function remains valid for reducing duplication across all verify steps.

---

64-79: Verify the changes meet PR objectives.

The implementation successfully:

1. Tests the new all_scripts: true option
2. Verifies detection of scripts with unconventional shebangs
3. Maintains existing functionality

Let's verify the test file has the intended unconventional shebang:

✅ Verification successful

The output confirms that the test file indeed has an unconventional shebang (#!/usr/bin/with-contenv bashio), which aligns perfectly with the PR's objective of supporting scripts with non-standard shebangs. Let me verify one more aspect to ensure comprehensive testing:

---

Implementation correctly validates unconventional shebang support

The verification confirms that:

1. The test file uses an unconventional shebang (#!/usr/bin/with-contenv bashio)
2. The file contains valid shell script content
3. The workflow correctly detects and includes this file when all_scripts: true is set

This implementation properly tests the PR's objective of supporting scripts with non-standard shebangs while maintaining shell script validation.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Verify the test file has an unconventional shebang
cat testfiles/scandir/unknown-shebang | head -n 1

Length of output: 82

---

Script:

#!/bin/bash
# Check if the file is actually a shell script despite the unconventional shebang
head -n 5 testfiles/scandir/unknown-shebang

Length of output: 87

---

Thank you for using CodeRabbit. We offer it for free to the OSS community and would appreciate your support in helping us grow. If you find it useful, would you consider giving us a shout-out on your favorite social media?

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

🪧 Tips

Chat

There are 3 ways to chat with CodeRabbit:

‼️ IMPORTANT
Auto-reply has been disabled for this repository in the CodeRabbit settings. The CodeRabbit bot will not respond to your replies unless it is explicitly tagged.

• Files and specific lines of code (under the "Files changed" tab): Tag @coderabbitai in a new review comment at the desired location with your query. Examples:
  • @coderabbitai generate unit testing code for this file.
  • @coderabbitai modularize this function.
• PR comments: Tag @coderabbitai in a new PR comment to ask questions about the PR branch. For the best results, please provide a very specific query, as very limited context is provided in this mode. Examples:
  • @coderabbitai gather interesting stats about this repository and render them as a table. Additionally, render a pie chart showing the language distribution in the codebase.
  • @coderabbitai read src/utils.ts and generate unit testing code.
  • @coderabbitai read the files in the src/scheduler package and generate a class diagram using mermaid and a README in the markdown format.
  • @coderabbitai help me debug CodeRabbit configuration file.

Note: Be mindful of the bot's finite context window. It's strongly recommended to break down tasks such as reading entire modules into smaller chunks. For a focused discussion, use review comments to chat about specific files and their changes, instead of using the PR comments.

CodeRabbit Commands (Invoked using PR comments)

• @coderabbitai pause to pause the reviews on a PR.
• @coderabbitai resume to resume the paused reviews.
• @coderabbitai review to trigger an incremental review. This is useful when automatic reviews are disabled for the repository.
• @coderabbitai full review to do a full review from scratch and review all the files again.
• @coderabbitai summary to regenerate the summary of the PR.
• @coderabbitai resolve resolve all the CodeRabbit review comments.
• @coderabbitai configuration to show the current CodeRabbit configuration for the repository.
• @coderabbitai help to get help.

Other keywords and placeholders

• Add @coderabbitai ignore anywhere in the PR description to prevent this PR from being reviewed.
• Add @coderabbitai summary to generate the high-level summary at a specific location in the PR description.
• Add @coderabbitai anywhere in the PR title to generate the title automatically.

CodeRabbit Configuration File (.coderabbit.yaml)

• You can programmatically configure CodeRabbit by adding a .coderabbit.yaml file to the root of your repository.
• Please see the configuration documentation for more information.
• If your editor has YAML language server enabled, you can add the path at the top of this file to enable auto-completion and validation: # yaml-language-server: $schema=https://coderabbit.ai/integrations/schema.v2.json

Documentation and Community

• Visit our Documentation for detailed information on how to use CodeRabbit.
• Join our Discord Community to get help, request features, and share feedback.
• Follow us on X/Twitter for updates and announcements.

[coderabbitai]

Actionable comments posted: 4

📜 Review details

Configuration used: CodeRabbit UI
Review profile: ASSERTIVE

📥 Commits

Files that changed from the base of the PR and between 00b27aa and 5b1d02e.

📒 Files selected for processing (3)

• .github/workflows/scandir.yml (1 hunks)
• action.yaml (3 hunks)
• testfiles/scandir/unknown-shebang (1 hunks)

🔇 Additional comments (4)

testfiles/scandir/unknown-shebang (2)

1-1: LGTM! The shebang line correctly represents the test case.

The unconventional shebang #!/usr/bin/with-contenv bashio is an excellent choice for testing the new all_scripts option, as it represents a real-world use case from HomeAssistant addons.

---

1-3: Verify file permissions.

Since this file is intended to test the detection of executable scripts, ensure it has the correct executable permissions.

✅ Verification successful

File has correct executable permissions

The file testfiles/scandir/unknown-shebang has the executable bit set (-rwxr-xr-x), which is appropriate for a test file intended to verify executable script detection.

🏁 Scripts executed

The following scripts were executed for the analysis:

Script:

#!/bin/bash
# Description: Check if the test file has executable permissions
# Expected: File should have executable bit set

ls -l testfiles/scandir/unknown-shebang

Length of output: 122

.github/workflows/scandir.yml (1)

65-71: LGTM! New ShellCheck step is properly configured.

The step follows the established pattern and correctly implements the new all_scripts parameter.

action.yaml (1)

9-12: LGTM! Well-documented input parameter.

The new all_scripts input parameter is well-defined with clear documentation that explains both its purpose and the default behavior. The empty default value ensures backward compatibility.

[coderabbitai]

🧹 Nitpick (assertive)

Implementation looks good, but consider documenting security implications.

The technical implementation correctly implements the new functionality to check all executable scripts with any shebang when all_scripts is true. However, there are some important considerations:

1. Security: Checking all executable files with any shebang could potentially process non-shell scripts, which might lead to false positives or waste processing time.
2. Performance: This change could significantly increase the number of files being processed in large repositories.

Consider adding documentation in the README to:

• Explain the security implications of enabling all_scripts
• Provide guidance on when to use this option vs. additional_files
• Include examples of scenarios where this option is beneficial (e.g., HomeAssistant addons)

Also applies to: 163-164