From 743f1281e6e394b7bad596b678c73a8173db8e55 Mon Sep 17 00:00:00 2001 From: S Date: Sat, 28 Feb 2026 21:39:23 -0500 Subject: [PATCH] chore: fix shellcheck findings across migration scripts --- manage_runner.sh | 8 ++++---- phase1_gitea_unraid.sh | 4 ++-- phase1_post_check.sh | 3 +++ phase2_gitea_fedora.sh | 4 ++-- phase2_post_check.sh | 3 +++ phase3_post_check.sh | 2 +- phase3_runners.sh | 2 +- phase4_post_check.sh | 6 ++++++ phase5_migrate_pipelines.sh | 2 +- phase5_teardown.sh | 2 +- phase6_post_check.sh | 3 +++ phase7_post_check.sh | 3 +++ phase8_cutover.sh | 5 +++-- phase8_post_check.sh | 4 ++++ phase9_post_check.sh | 3 +++ phase9_security.sh | 4 ++-- phase9_teardown.sh | 2 +- preflight.sh | 20 +++++++++++++++----- setup/cleanup.sh | 2 ++ setup/cross_host_ssh.sh | 2 ++ setup/fedora.sh | 2 ++ setup/macbook.sh | 2 ++ setup/unraid.sh | 2 ++ 23 files changed, 68 insertions(+), 22 deletions(-) diff --git a/manage_runner.sh b/manage_runner.sh index 2494fd2..2d88e7f 100755 --- a/manage_runner.sh +++ b/manage_runner.sh @@ -164,14 +164,14 @@ add_docker_runner() { export RUNNER_NAME RUNNER_LABELS RUNNER_DATA_PATH export GITEA_RUNNER_REGISTRATION_TOKEN="${GITEA_RUNNER_REGISTRATION_TOKEN:-}" render_template "${SCRIPT_DIR}/templates/docker-compose-runner.yml.tpl" "$tmpfile" \ - '${ACT_RUNNER_VERSION} ${RUNNER_NAME} ${GITEA_INTERNAL_URL} ${GITEA_RUNNER_REGISTRATION_TOKEN} ${RUNNER_LABELS} ${RUNNER_DATA_PATH}' + "\${ACT_RUNNER_VERSION} \${RUNNER_NAME} \${GITEA_INTERNAL_URL} \${GITEA_RUNNER_REGISTRATION_TOKEN} \${RUNNER_LABELS} \${RUNNER_DATA_PATH}" runner_scp "$tmpfile" "${RUNNER_DATA_PATH}/docker-compose.yml" rm -f "$tmpfile" # Render runner config tmpfile=$(mktemp) render_template "${SCRIPT_DIR}/templates/runner-config.yaml.tpl" "$tmpfile" \ - '${RUNNER_NAME} ${RUNNER_LABELS}' + "\${RUNNER_NAME} \${RUNNER_LABELS}" runner_scp "$tmpfile" "${RUNNER_DATA_PATH}/config.yaml" rm -f "$tmpfile" @@ -249,14 +249,14 @@ add_native_runner() { tmpfile=$(mktemp) export RUNNER_NAME RUNNER_LABELS RUNNER_DATA_PATH render_template "${SCRIPT_DIR}/templates/runner-config.yaml.tpl" "$tmpfile" \ - '${RUNNER_NAME} ${RUNNER_LABELS}' + "\${RUNNER_NAME} \${RUNNER_LABELS}" cp "$tmpfile" "${RUNNER_DATA_PATH}/config.yaml" rm -f "$tmpfile" # Render launchd plist tmpfile=$(mktemp) render_template "${SCRIPT_DIR}/templates/com.gitea.runner.plist.tpl" "$tmpfile" \ - '${RUNNER_NAME} ${RUNNER_DATA_PATH}' + "\${RUNNER_NAME} \${RUNNER_DATA_PATH}" mkdir -p "$HOME/Library/LaunchAgents" cp "$tmpfile" "$plist_path" rm -f "$tmpfile" diff --git a/phase1_gitea_unraid.sh b/phase1_gitea_unraid.sh index 963ebb0..5a74daa 100755 --- a/phase1_gitea_unraid.sh +++ b/phase1_gitea_unraid.sh @@ -46,7 +46,7 @@ else # Set variables for template export DATA_PATH GITEA_PORT="${UNRAID_GITEA_PORT}" GITEA_SSH_PORT="${UNRAID_GITEA_SSH_PORT}" render_template "${SCRIPT_DIR}/templates/docker-compose-gitea.yml.tpl" "$TMPFILE" \ - '${GITEA_VERSION} ${DATA_PATH} ${GITEA_PORT} ${GITEA_SSH_PORT}' + "\${GITEA_VERSION} \${DATA_PATH} \${GITEA_PORT} \${GITEA_SSH_PORT}" scp_to UNRAID "$TMPFILE" "${DATA_PATH}/docker-compose.yml" rm -f "$TMPFILE" log_success "docker-compose.yml deployed" @@ -64,7 +64,7 @@ else GITEA_SECRET_KEY=$(openssl rand -hex 32) export GITEA_SECRET_KEY render_template "${SCRIPT_DIR}/templates/app.ini.tpl" "$TMPFILE" \ - '${GITEA_DOMAIN} ${GITEA_DB_TYPE} ${GITEA_SECRET_KEY}' + "\${GITEA_DOMAIN} \${GITEA_DB_TYPE} \${GITEA_SECRET_KEY}" scp_to UNRAID "$TMPFILE" "${DATA_PATH}/config/app.ini" rm -f "$TMPFILE" log_success "app.ini deployed" diff --git a/phase1_post_check.sh b/phase1_post_check.sh index 5518150..0f0cf5b 100755 --- a/phase1_post_check.sh +++ b/phase1_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase1_post_check.sh — Verify Phase 1 (Gitea on Unraid) succeeded @@ -40,6 +41,7 @@ run_check "Admin user authenticates (basic auth)" \ curl -sf -o /dev/null -u "${GITEA_ADMIN_USER}:${GITEA_ADMIN_PASSWORD}" "${GITEA_INTERNAL_URL}/api/v1/user" # Check 3: API token works and returns correct username +# shellcheck disable=SC2329 check_token() { local response response=$(curl -sf -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "${GITEA_INTERNAL_URL}/api/v1/user") @@ -54,6 +56,7 @@ run_check "Organization '${GITEA_ORG_NAME}' exists" \ curl -sf -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "${GITEA_INTERNAL_URL}/api/v1/orgs/${GITEA_ORG_NAME}" # Check 5: Gitea Actions enabled (verify via settings API) +# shellcheck disable=SC2329 check_actions() { # The /api/v1/settings/api endpoint returns instance settings. # If Actions are enabled, the Gitea instance will accept runner registrations. diff --git a/phase2_gitea_fedora.sh b/phase2_gitea_fedora.sh index 6003885..7535886 100755 --- a/phase2_gitea_fedora.sh +++ b/phase2_gitea_fedora.sh @@ -44,7 +44,7 @@ else TMPFILE=$(mktemp) export DATA_PATH GITEA_PORT="${FEDORA_GITEA_PORT}" GITEA_SSH_PORT="${FEDORA_GITEA_SSH_PORT}" render_template "${SCRIPT_DIR}/templates/docker-compose-gitea.yml.tpl" "$TMPFILE" \ - '${GITEA_VERSION} ${DATA_PATH} ${GITEA_PORT} ${GITEA_SSH_PORT}' + "\${GITEA_VERSION} \${DATA_PATH} \${GITEA_PORT} \${GITEA_SSH_PORT}" scp_to FEDORA "$TMPFILE" "${DATA_PATH}/docker-compose.yml" rm -f "$TMPFILE" log_success "docker-compose.yml deployed" @@ -69,7 +69,7 @@ else GITEA_DOMAIN="${FEDORA_IP}:${FEDORA_GITEA_PORT}" export GITEA_DOMAIN render_template "${SCRIPT_DIR}/templates/app.ini.tpl" "$TMPFILE" \ - '${GITEA_DOMAIN} ${GITEA_DB_TYPE} ${GITEA_SECRET_KEY}' + "\${GITEA_DOMAIN} \${GITEA_DB_TYPE} \${GITEA_SECRET_KEY}" scp_to FEDORA "$TMPFILE" "${DATA_PATH}/config/app.ini" rm -f "$TMPFILE" log_success "app.ini deployed" diff --git a/phase2_post_check.sh b/phase2_post_check.sh index 981992f..969674d 100755 --- a/phase2_post_check.sh +++ b/phase2_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase2_post_check.sh — Verify Phase 2 (Gitea on Fedora) succeeded @@ -41,6 +42,7 @@ run_check "Admin user authenticates (basic auth)" \ curl -sf -o /dev/null -u "${GITEA_ADMIN_USER}:${GITEA_ADMIN_PASSWORD}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/user" # Check 3: API token works and returns correct username +# shellcheck disable=SC2329 check_token() { local response response=$(curl -sf -H "Authorization: token ${GITEA_BACKUP_ADMIN_TOKEN}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/user") @@ -53,6 +55,7 @@ run_check "Backup API token valid (returns correct username)" check_token # Check 4: Gitea Actions enabled (verify via settings API) # No org check here — the Fedora instance doesn't create an org. # Mirror repos are stored under the admin user's namespace. +# shellcheck disable=SC2329 check_actions() { curl -sf -H "Authorization: token ${GITEA_BACKUP_ADMIN_TOKEN}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/settings/api" -o /dev/null } diff --git a/phase3_post_check.sh b/phase3_post_check.sh index 09981b3..a2912ee 100755 --- a/phase3_post_check.sh +++ b/phase3_post_check.sh @@ -61,7 +61,7 @@ done < "$RUNNERS_CONF" # --------------------------------------------------------------------------- # Check: runner count matches runners.conf # --------------------------------------------------------------------------- -EXPECTED_COUNT=$(grep -v '^\s*#' "$RUNNERS_CONF" | grep -v '^\s*$' | wc -l | xargs) +EXPECTED_COUNT=$(grep -Evc '^[[:space:]]*($|#)' "$RUNNERS_CONF") ACTUAL_COUNT=$(printf '%s' "$API_RUNNERS" | jq 'length' 2>/dev/null || echo 0) if [[ "$ACTUAL_COUNT" -ge "$EXPECTED_COUNT" ]]; then diff --git a/phase3_runners.sh b/phase3_runners.sh index ebfc4eb..ff14d61 100755 --- a/phase3_runners.sh +++ b/phase3_runners.sh @@ -30,7 +30,7 @@ if [[ ! -f "$RUNNERS_CONF" ]]; then fi # Count non-comment, non-blank lines to verify there are runners to deploy -RUNNER_COUNT=$(grep -v '^\s*#' "$RUNNERS_CONF" | grep -v '^\s*$' | wc -l | xargs) +RUNNER_COUNT=$(grep -Evc '^[[:space:]]*($|#)' "$RUNNERS_CONF") if [[ "$RUNNER_COUNT" -eq 0 ]]; then log_error "No runners defined in runners.conf" exit 1 diff --git a/phase4_post_check.sh b/phase4_post_check.sh index 337f0f9..2cdf883 100755 --- a/phase4_post_check.sh +++ b/phase4_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase4_post_check.sh — Verify Phase 4 (Repo Migration) succeeded @@ -44,12 +45,14 @@ for repo in "${REPOS[@]}"; do log_info "--- Checking repo: ${repo} ---" # Check 1: Repo exists on primary + # shellcheck disable=SC2329 check_repo_exists() { gitea_api GET "/repos/${GITEA_ORG_NAME}/$1" >/dev/null } run_check "Primary: ${GITEA_ORG_NAME}/${repo} exists" check_repo_exists "$repo" # Check 2: Repo has commits (migration imported content) + # shellcheck disable=SC2329 check_commits() { local commits commits=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/commits?limit=1") @@ -60,6 +63,7 @@ for repo in "${REPOS[@]}"; do run_check "Primary: ${repo} has commits" check_commits "$repo" # Check 3: Default branch matches GitHub source + # shellcheck disable=SC2329 check_default_branch() { local gitea_branch github_branch gitea_branch=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1" | jq -r '.default_branch') @@ -69,12 +73,14 @@ for repo in "${REPOS[@]}"; do run_check "Primary: ${repo} default branch matches GitHub" check_default_branch "$repo" # Check 4: Mirror exists on Fedora + # shellcheck disable=SC2329 check_mirror_exists() { gitea_backup_api GET "/repos/${GITEA_ADMIN_USER}/$1" >/dev/null } run_check "Fedora: ${GITEA_ADMIN_USER}/${repo} exists" check_mirror_exists "$repo" # Check 5: Mirror has mirror=true + # shellcheck disable=SC2329 check_mirror_flag() { local is_mirror is_mirror=$(gitea_backup_api GET "/repos/${GITEA_ADMIN_USER}/$1" | jq -r '.mirror') diff --git a/phase5_migrate_pipelines.sh b/phase5_migrate_pipelines.sh index 502dcd2..62d9e34 100755 --- a/phase5_migrate_pipelines.sh +++ b/phase5_migrate_pipelines.sh @@ -60,7 +60,7 @@ for repo in "${REPOS[@]}"; do # Construct clone URL with embedded token for auth # Format: http://token:TOKEN@host:port/org/repo.git - CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|") + CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" log_info "Cloning ${repo}..." git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" diff --git a/phase5_teardown.sh b/phase5_teardown.sh index 0022f8c..c31f19e 100755 --- a/phase5_teardown.sh +++ b/phase5_teardown.sh @@ -45,7 +45,7 @@ for repo in "${REPOS[@]}"; do CLONE_DIR="${TEMP_BASE}/${repo}" rm -rf "$CLONE_DIR" - CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|") + CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" if [[ -d "${CLONE_DIR}/.gitea/workflows" ]]; then diff --git a/phase6_post_check.sh b/phase6_post_check.sh index 8c61a15..c4d9c94 100755 --- a/phase6_post_check.sh +++ b/phase6_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase6_post_check.sh — Verify Phase 6 (GitHub Push Mirrors) succeeded @@ -38,6 +39,7 @@ for repo in "${REPOS[@]}"; do log_info "--- Checking repo: ${repo} ---" # Check 1: Push mirror exists + # shellcheck disable=SC2329 check_mirror_exists() { local mirrors mirrors=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/push_mirrors") @@ -49,6 +51,7 @@ for repo in "${REPOS[@]}"; do # Check 2: Latest commit SHA matches between Gitea and GitHub # Trigger a sync first, then compare HEAD commits + # shellcheck disable=SC2329 check_commit_sync() { # Trigger sync gitea_api POST "/repos/${GITEA_ORG_NAME}/$1/push_mirrors-sync" "" >/dev/null 2>&1 || true diff --git a/phase7_post_check.sh b/phase7_post_check.sh index 4f6419f..a0dd0b5 100755 --- a/phase7_post_check.sh +++ b/phase7_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase7_post_check.sh — Verify Phase 7 (Branch Protection) succeeded @@ -37,12 +38,14 @@ for repo in "${REPOS[@]}"; do log_info "--- Checking repo: ${repo} ---" # Check 1: Protection rule exists + # shellcheck disable=SC2329 check_protection_exists() { gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}" >/dev/null } run_check "Branch protection exists for '${PROTECTED_BRANCH}' on ${repo}" check_protection_exists "$repo" # Check 2: Push is blocked (enable_push should be false) + # shellcheck disable=SC2329 check_push_blocked() { local protection protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}") diff --git a/phase8_cutover.sh b/phase8_cutover.sh index a83b5ad..750b911 100755 --- a/phase8_cutover.sh +++ b/phase8_cutover.sh @@ -148,7 +148,7 @@ render_nginx_http_only() { export SSL_CERT_FULLPATH="/dev/null" export SSL_KEY_FULLPATH="/dev/null" render_template "${SCRIPT_DIR}/templates/nginx-gitea.conf.tpl" "$rendered" \ - '${GITEA_DOMAIN} ${UNRAID_IP} ${UNRAID_GITEA_PORT} ${SSL_CERT_FULLPATH} ${SSL_KEY_FULLPATH}' + "\${GITEA_DOMAIN} \${UNRAID_IP} \${UNRAID_GITEA_PORT} \${SSL_CERT_FULLPATH} \${SSL_KEY_FULLPATH}" # Strip the HTTPS server block (everything between markers inclusive) sed '/# SSL_HTTPS_BLOCK_START/,/# SSL_HTTPS_BLOCK_END/d' "$rendered" > "$tmpfile" @@ -166,10 +166,11 @@ render_nginx_https() { export SSL_CERT_FULLPATH="$cert_path" export SSL_KEY_FULLPATH="$key_path" render_template "${SCRIPT_DIR}/templates/nginx-gitea.conf.tpl" "$rendered" \ - '${GITEA_DOMAIN} ${UNRAID_IP} ${UNRAID_GITEA_PORT} ${SSL_CERT_FULLPATH} ${SSL_KEY_FULLPATH}' + "\${GITEA_DOMAIN} \${UNRAID_IP} \${UNRAID_GITEA_PORT} \${SSL_CERT_FULLPATH} \${SSL_KEY_FULLPATH}" # Replace the redirect block content with a 301 redirect to HTTPS # The block between markers gets replaced with just the redirect + # shellcheck disable=SC2016 sed '/# SSL_REDIRECT_BLOCK_START/,/# SSL_REDIRECT_BLOCK_END/{ /# SSL_REDIRECT_BLOCK_START/!{/# SSL_REDIRECT_BLOCK_END/!d;} /# SSL_REDIRECT_BLOCK_START/a\ diff --git a/phase8_post_check.sh b/phase8_post_check.sh index e5d09c4..5130d28 100755 --- a/phase8_post_check.sh +++ b/phase8_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded @@ -41,6 +42,7 @@ run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" \ curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version" # Check 2: HTTP redirects to HTTPS (returns 301) +# shellcheck disable=SC2329 check_redirect() { local http_code http_code=$(curl -sI -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/") @@ -49,6 +51,7 @@ check_redirect() { run_check "HTTP → HTTPS redirect (301)" check_redirect # Check 3: SSL certificate is valid (not self-signed) +# shellcheck disable=SC2329 check_ssl_cert() { # Verify openssl can connect and the cert is issued by a recognized CA local issuer @@ -66,6 +69,7 @@ done # Check 5: GitHub repos are marked as offsite backup for repo in "${REPOS[@]}"; do + # shellcheck disable=SC2329 check_mirror_marked() { local desc desc=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.description // ""') diff --git a/phase9_post_check.sh b/phase9_post_check.sh index 1fa177d..b93cd01 100755 --- a/phase9_post_check.sh +++ b/phase9_post_check.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # phase9_post_check.sh — Verify Phase 9 (Security Scanning) succeeded @@ -38,6 +39,7 @@ for repo in "${REPOS[@]}"; do log_info "--- Checking repo: ${repo} ---" # Check 1: security-scan.yml exists + # shellcheck disable=SC2329 check_workflow_exists() { gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/contents/.gitea/workflows/security-scan.yml" >/dev/null } @@ -45,6 +47,7 @@ for repo in "${REPOS[@]}"; do # Check 2: Branch protection includes security checks (if required) if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then + # shellcheck disable=SC2329 check_status_checks() { local protection protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}") diff --git a/phase9_security.sh b/phase9_security.sh index f23e491..8bb338a 100755 --- a/phase9_security.sh +++ b/phase9_security.sh @@ -58,7 +58,7 @@ for repo in "${REPOS[@]}"; do rm -rf "$CLONE_DIR" mkdir -p "$CLONE_DIR" - CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|") + CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" log_info "Cloning ${repo}..." git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" @@ -72,7 +72,7 @@ for repo in "${REPOS[@]}"; do export SEMGREP_VERSION TRIVY_VERSION GITLEAKS_VERSION PROTECTED_BRANCH render_template "${SCRIPT_DIR}/templates/workflows/security-scan.yml.tpl" \ "${CLONE_DIR}/.gitea/workflows/security-scan.yml" \ - '${PROTECTED_BRANCH} ${SEMGREP_VERSION} ${TRIVY_VERSION} ${GITLEAKS_VERSION}' + "\${PROTECTED_BRANCH} \${SEMGREP_VERSION} \${TRIVY_VERSION} \${GITLEAKS_VERSION}" # ------------------------------------------------------------------------- # Step 3: Commit and push diff --git a/phase9_teardown.sh b/phase9_teardown.sh index d350cb0..17de01c 100755 --- a/phase9_teardown.sh +++ b/phase9_teardown.sh @@ -46,7 +46,7 @@ for repo in "${REPOS[@]}"; do CLONE_DIR="${TEMP_BASE}/${repo}" rm -rf "$CLONE_DIR" - CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|") + CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}" git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR" if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then diff --git a/preflight.sh b/preflight.sh index b340d85..0abaa7d 100755 --- a/preflight.sh +++ b/preflight.sh @@ -1,5 +1,6 @@ #!/usr/bin/env bash set -euo pipefail +# shellcheck disable=SC2329 # ============================================================================= # preflight.sh — Validate everything before running migration phases @@ -75,6 +76,7 @@ check_fedora_os() { # --------------------------------------------------------------------------- # Check 4: .env exists # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_env_exists() { [[ -f "${SCRIPT_DIR}/.env" ]] } @@ -88,6 +90,7 @@ fi # --------------------------------------------------------------------------- # Check 5: runners.conf exists # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_runners_conf() { [[ -f "${SCRIPT_DIR}/runners.conf" ]] } @@ -119,6 +122,7 @@ REQUIRED_VARS=( NGINX_CONTAINER_NAME NGINX_CONF_PATH SSL_MODE ) +# shellcheck disable=SC2329 check_required_vars() { local missing=0 for var in "${REQUIRED_VARS[@]}"; do @@ -154,13 +158,14 @@ check_required_vars() { ;; esac - return $missing + return "$missing" } check 6 "All required .env vars are set" check_required_vars # --------------------------------------------------------------------------- # Check 7: SSH to Unraid # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_ssh_unraid() { ssh_check UNRAID } @@ -172,6 +177,7 @@ fi # --------------------------------------------------------------------------- # Check 8: SSH to Fedora # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_ssh_fedora() { ssh_check FEDORA } @@ -298,6 +304,7 @@ fi # --------------------------------------------------------------------------- # Check 17: GitHub repos exist # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_github_repos() { local all_ok=0 for var in REPO_1_NAME REPO_2_NAME REPO_3_NAME; do @@ -310,7 +317,7 @@ check_github_repos() { all_ok=1 fi done - return $all_ok + return "$all_ok" } check 17 "All GitHub repos exist" check_github_repos @@ -342,36 +349,39 @@ fi # Check 20: Local tool minimum versions # Validates that tools on the MacBook meet minimum requirements. # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_local_versions() { local fail=0 check_min_version "jq" "jq --version" "1.6" || fail=1 check_min_version "curl" "curl --version" "7.70" || fail=1 check_min_version "git" "git --version" "2.30" || fail=1 - return $fail + return "$fail" } check 20 "Local tool minimum versions (jq>=1.6, curl>=7.70, git>=2.30)" check_local_versions # --------------------------------------------------------------------------- # Check 21: Unraid tool minimum versions # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_unraid_versions() { local fail=0 check_remote_min_version "UNRAID" "docker" "docker --version" "20.0" || fail=1 check_remote_min_version "UNRAID" "docker-compose" "docker compose version 2>/dev/null || docker-compose --version" "2.0" || fail=1 check_remote_min_version "UNRAID" "jq" "jq --version" "1.6" || fail=1 - return $fail + return "$fail" } check 21 "Unraid tool minimum versions (docker>=20, compose>=2, jq>=1.6)" check_unraid_versions # --------------------------------------------------------------------------- # Check 22: Fedora tool minimum versions # --------------------------------------------------------------------------- +# shellcheck disable=SC2329 check_fedora_versions() { local fail=0 check_remote_min_version "FEDORA" "docker" "docker --version" "20.0" || fail=1 check_remote_min_version "FEDORA" "docker-compose" "docker compose version" "2.0" || fail=1 check_remote_min_version "FEDORA" "jq" "jq --version" "1.6" || fail=1 - return $fail + return "$fail" } check 22 "Fedora tool minimum versions (docker>=20, compose>=2, jq>=1.6)" check_fedora_versions diff --git a/setup/cleanup.sh b/setup/cleanup.sh index ec1f3c2..93878bf 100755 --- a/setup/cleanup.sh +++ b/setup/cleanup.sh @@ -16,6 +16,8 @@ set -euo pipefail # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +# shellcheck source=../lib/common.sh +# shellcheck disable=SC1091 source "${SCRIPT_DIR}/../lib/common.sh" load_env || true # Best effort — .env may already be gone during full cleanup diff --git a/setup/cross_host_ssh.sh b/setup/cross_host_ssh.sh index abed1e5..413cc10 100755 --- a/setup/cross_host_ssh.sh +++ b/setup/cross_host_ssh.sh @@ -14,6 +14,8 @@ set -euo pipefail # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +# shellcheck source=../lib/common.sh +# shellcheck disable=SC1091 source "${SCRIPT_DIR}/../lib/common.sh" load_env diff --git a/setup/fedora.sh b/setup/fedora.sh index 38e4e51..3cd812b 100755 --- a/setup/fedora.sh +++ b/setup/fedora.sh @@ -6,6 +6,8 @@ set -euo pipefail # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +# shellcheck source=../lib/common.sh +# shellcheck disable=SC1091 source "${SCRIPT_DIR}/../lib/common.sh" load_env diff --git a/setup/macbook.sh b/setup/macbook.sh index c21ab68..c49dd5c 100755 --- a/setup/macbook.sh +++ b/setup/macbook.sh @@ -6,6 +6,8 @@ set -euo pipefail # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +# shellcheck source=../lib/common.sh +# shellcheck disable=SC1091 source "${SCRIPT_DIR}/../lib/common.sh" log_info "=== MacBook Setup ===" diff --git a/setup/unraid.sh b/setup/unraid.sh index 9bad469..d6397fa 100755 --- a/setup/unraid.sh +++ b/setup/unraid.sh @@ -6,6 +6,8 @@ set -euo pipefail # ============================================================================= SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)" +# shellcheck source=../lib/common.sh +# shellcheck disable=SC1091 source "${SCRIPT_DIR}/../lib/common.sh" load_env