chore: fix shellcheck findings across migration scripts

manage_runner.sh

@@ -164,14 +164,14 @@ add_docker_runner() {
   export RUNNER_NAME RUNNER_LABELS RUNNER_DATA_PATH
   export GITEA_RUNNER_REGISTRATION_TOKEN="${GITEA_RUNNER_REGISTRATION_TOKEN:-}"
   render_template "${SCRIPT_DIR}/templates/docker-compose-runner.yml.tpl" "$tmpfile" \
-    '${ACT_RUNNER_VERSION} ${RUNNER_NAME} ${GITEA_INTERNAL_URL} ${GITEA_RUNNER_REGISTRATION_TOKEN} ${RUNNER_LABELS} ${RUNNER_DATA_PATH}'
+    "\${ACT_RUNNER_VERSION} \${RUNNER_NAME} \${GITEA_INTERNAL_URL} \${GITEA_RUNNER_REGISTRATION_TOKEN} \${RUNNER_LABELS} \${RUNNER_DATA_PATH}"
   runner_scp "$tmpfile" "${RUNNER_DATA_PATH}/docker-compose.yml"
   rm -f "$tmpfile"
 
   # Render runner config
   tmpfile=$(mktemp)
   render_template "${SCRIPT_DIR}/templates/runner-config.yaml.tpl" "$tmpfile" \
-    '${RUNNER_NAME} ${RUNNER_LABELS}'
+    "\${RUNNER_NAME} \${RUNNER_LABELS}"
   runner_scp "$tmpfile" "${RUNNER_DATA_PATH}/config.yaml"
   rm -f "$tmpfile"
 
@@ -249,14 +249,14 @@ add_native_runner() {
   tmpfile=$(mktemp)
   export RUNNER_NAME RUNNER_LABELS RUNNER_DATA_PATH
   render_template "${SCRIPT_DIR}/templates/runner-config.yaml.tpl" "$tmpfile" \
-    '${RUNNER_NAME} ${RUNNER_LABELS}'
+    "\${RUNNER_NAME} \${RUNNER_LABELS}"
   cp "$tmpfile" "${RUNNER_DATA_PATH}/config.yaml"
   rm -f "$tmpfile"
 
   # Render launchd plist
   tmpfile=$(mktemp)
   render_template "${SCRIPT_DIR}/templates/com.gitea.runner.plist.tpl" "$tmpfile" \
-    '${RUNNER_NAME} ${RUNNER_DATA_PATH}'
+    "\${RUNNER_NAME} \${RUNNER_DATA_PATH}"
   mkdir -p "$HOME/Library/LaunchAgents"
   cp "$tmpfile" "$plist_path"
   rm -f "$tmpfile"

phase1_gitea_unraid.sh

@@ -46,7 +46,7 @@ else
   # Set variables for template
   export DATA_PATH GITEA_PORT="${UNRAID_GITEA_PORT}" GITEA_SSH_PORT="${UNRAID_GITEA_SSH_PORT}"
   render_template "${SCRIPT_DIR}/templates/docker-compose-gitea.yml.tpl" "$TMPFILE" \
-    '${GITEA_VERSION} ${DATA_PATH} ${GITEA_PORT} ${GITEA_SSH_PORT}'
+    "\${GITEA_VERSION} \${DATA_PATH} \${GITEA_PORT} \${GITEA_SSH_PORT}"
   scp_to UNRAID "$TMPFILE" "${DATA_PATH}/docker-compose.yml"
   rm -f "$TMPFILE"
   log_success "docker-compose.yml deployed"
@@ -64,7 +64,7 @@ else
   GITEA_SECRET_KEY=$(openssl rand -hex 32)
   export GITEA_SECRET_KEY
   render_template "${SCRIPT_DIR}/templates/app.ini.tpl" "$TMPFILE" \
-    '${GITEA_DOMAIN} ${GITEA_DB_TYPE} ${GITEA_SECRET_KEY}'
+    "\${GITEA_DOMAIN} \${GITEA_DB_TYPE} \${GITEA_SECRET_KEY}"
   scp_to UNRAID "$TMPFILE" "${DATA_PATH}/config/app.ini"
   rm -f "$TMPFILE"
   log_success "app.ini deployed"

phase1_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase1_post_check.sh — Verify Phase 1 (Gitea on Unraid) succeeded
@@ -40,6 +41,7 @@ run_check "Admin user authenticates (basic auth)" \
   curl -sf -o /dev/null -u "${GITEA_ADMIN_USER}:${GITEA_ADMIN_PASSWORD}" "${GITEA_INTERNAL_URL}/api/v1/user"
 
 # Check 3: API token works and returns correct username
+# shellcheck disable=SC2329
 check_token() {
   local response
   response=$(curl -sf -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "${GITEA_INTERNAL_URL}/api/v1/user")
@@ -54,6 +56,7 @@ run_check "Organization '${GITEA_ORG_NAME}' exists" \
   curl -sf -o /dev/null -H "Authorization: token ${GITEA_ADMIN_TOKEN}" "${GITEA_INTERNAL_URL}/api/v1/orgs/${GITEA_ORG_NAME}"
 
 # Check 5: Gitea Actions enabled (verify via settings API)
+# shellcheck disable=SC2329
 check_actions() {
   # The /api/v1/settings/api endpoint returns instance settings.
   # If Actions are enabled, the Gitea instance will accept runner registrations.

phase2_gitea_fedora.sh

@@ -44,7 +44,7 @@ else
   TMPFILE=$(mktemp)
   export DATA_PATH GITEA_PORT="${FEDORA_GITEA_PORT}" GITEA_SSH_PORT="${FEDORA_GITEA_SSH_PORT}"
   render_template "${SCRIPT_DIR}/templates/docker-compose-gitea.yml.tpl" "$TMPFILE" \
-    '${GITEA_VERSION} ${DATA_PATH} ${GITEA_PORT} ${GITEA_SSH_PORT}'
+    "\${GITEA_VERSION} \${DATA_PATH} \${GITEA_PORT} \${GITEA_SSH_PORT}"
   scp_to FEDORA "$TMPFILE" "${DATA_PATH}/docker-compose.yml"
   rm -f "$TMPFILE"
   log_success "docker-compose.yml deployed"
@@ -69,7 +69,7 @@ else
   GITEA_DOMAIN="${FEDORA_IP}:${FEDORA_GITEA_PORT}"
   export GITEA_DOMAIN
   render_template "${SCRIPT_DIR}/templates/app.ini.tpl" "$TMPFILE" \
-    '${GITEA_DOMAIN} ${GITEA_DB_TYPE} ${GITEA_SECRET_KEY}'
+    "\${GITEA_DOMAIN} \${GITEA_DB_TYPE} \${GITEA_SECRET_KEY}"
   scp_to FEDORA "$TMPFILE" "${DATA_PATH}/config/app.ini"
   rm -f "$TMPFILE"
   log_success "app.ini deployed"

phase2_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase2_post_check.sh — Verify Phase 2 (Gitea on Fedora) succeeded
@@ -41,6 +42,7 @@ run_check "Admin user authenticates (basic auth)" \
   curl -sf -o /dev/null -u "${GITEA_ADMIN_USER}:${GITEA_ADMIN_PASSWORD}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/user"
 
 # Check 3: API token works and returns correct username
+# shellcheck disable=SC2329
 check_token() {
   local response
   response=$(curl -sf -H "Authorization: token ${GITEA_BACKUP_ADMIN_TOKEN}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/user")
@@ -53,6 +55,7 @@ run_check "Backup API token valid (returns correct username)" check_token
 # Check 4: Gitea Actions enabled (verify via settings API)
 # No org check here — the Fedora instance doesn't create an org.
 # Mirror repos are stored under the admin user's namespace.
+# shellcheck disable=SC2329
 check_actions() {
   curl -sf -H "Authorization: token ${GITEA_BACKUP_ADMIN_TOKEN}" "${GITEA_BACKUP_INTERNAL_URL}/api/v1/settings/api" -o /dev/null
 }

phase3_post_check.sh

@@ -61,7 +61,7 @@ done < "$RUNNERS_CONF"
 # ---------------------------------------------------------------------------
 # Check: runner count matches runners.conf
 # ---------------------------------------------------------------------------
-EXPECTED_COUNT=$(grep -v '^\s*#' "$RUNNERS_CONF" | grep -v '^\s*$' | wc -l | xargs)
+EXPECTED_COUNT=$(grep -Evc '^[[:space:]]*($|#)' "$RUNNERS_CONF")
 ACTUAL_COUNT=$(printf '%s' "$API_RUNNERS" | jq 'length' 2>/dev/null || echo 0)
 
 if [[ "$ACTUAL_COUNT" -ge "$EXPECTED_COUNT" ]]; then

phase3_runners.sh

@@ -30,7 +30,7 @@ if [[ ! -f "$RUNNERS_CONF" ]]; then
 fi
 
 # Count non-comment, non-blank lines to verify there are runners to deploy
-RUNNER_COUNT=$(grep -v '^\s*#' "$RUNNERS_CONF" | grep -v '^\s*$' | wc -l | xargs)
+RUNNER_COUNT=$(grep -Evc '^[[:space:]]*($|#)' "$RUNNERS_CONF")
 if [[ "$RUNNER_COUNT" -eq 0 ]]; then
   log_error "No runners defined in runners.conf"
   exit 1

phase4_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase4_post_check.sh — Verify Phase 4 (Repo Migration) succeeded
@@ -44,12 +45,14 @@ for repo in "${REPOS[@]}"; do
   log_info "--- Checking repo: ${repo} ---"
 
   # Check 1: Repo exists on primary
+  # shellcheck disable=SC2329
   check_repo_exists() {
     gitea_api GET "/repos/${GITEA_ORG_NAME}/$1" >/dev/null
   }
   run_check "Primary: ${GITEA_ORG_NAME}/${repo} exists" check_repo_exists "$repo"
 
   # Check 2: Repo has commits (migration imported content)
+  # shellcheck disable=SC2329
   check_commits() {
     local commits
     commits=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/commits?limit=1")
@@ -60,6 +63,7 @@ for repo in "${REPOS[@]}"; do
   run_check "Primary: ${repo} has commits" check_commits "$repo"
 
   # Check 3: Default branch matches GitHub source
+  # shellcheck disable=SC2329
   check_default_branch() {
     local gitea_branch github_branch
     gitea_branch=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1" | jq -r '.default_branch')
@@ -69,12 +73,14 @@ for repo in "${REPOS[@]}"; do
   run_check "Primary: ${repo} default branch matches GitHub" check_default_branch "$repo"
 
   # Check 4: Mirror exists on Fedora
+  # shellcheck disable=SC2329
   check_mirror_exists() {
     gitea_backup_api GET "/repos/${GITEA_ADMIN_USER}/$1" >/dev/null
   }
   run_check "Fedora: ${GITEA_ADMIN_USER}/${repo} exists" check_mirror_exists "$repo"
 
   # Check 5: Mirror has mirror=true
+  # shellcheck disable=SC2329
   check_mirror_flag() {
     local is_mirror
     is_mirror=$(gitea_backup_api GET "/repos/${GITEA_ADMIN_USER}/$1" | jq -r '.mirror')

phase5_migrate_pipelines.sh

@@ -60,7 +60,7 @@ for repo in "${REPOS[@]}"; do
 
   # Construct clone URL with embedded token for auth
   # Format: http://token:TOKEN@host:port/org/repo.git
-  CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|")
+  CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}"
   log_info "Cloning ${repo}..."
   git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR"
 

phase5_teardown.sh

@@ -45,7 +45,7 @@ for repo in "${REPOS[@]}"; do
   CLONE_DIR="${TEMP_BASE}/${repo}"
   rm -rf "$CLONE_DIR"
 
-  CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|")
+  CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}"
   git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR"
 
   if [[ -d "${CLONE_DIR}/.gitea/workflows" ]]; then

phase6_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase6_post_check.sh — Verify Phase 6 (GitHub Push Mirrors) succeeded
@@ -38,6 +39,7 @@ for repo in "${REPOS[@]}"; do
   log_info "--- Checking repo: ${repo} ---"
 
   # Check 1: Push mirror exists
+  # shellcheck disable=SC2329
   check_mirror_exists() {
     local mirrors
     mirrors=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/push_mirrors")
@@ -49,6 +51,7 @@ for repo in "${REPOS[@]}"; do
 
   # Check 2: Latest commit SHA matches between Gitea and GitHub
   # Trigger a sync first, then compare HEAD commits
+  # shellcheck disable=SC2329
   check_commit_sync() {
     # Trigger sync
     gitea_api POST "/repos/${GITEA_ORG_NAME}/$1/push_mirrors-sync" "" >/dev/null 2>&1 || true

phase7_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase7_post_check.sh — Verify Phase 7 (Branch Protection) succeeded
@@ -37,12 +38,14 @@ for repo in "${REPOS[@]}"; do
   log_info "--- Checking repo: ${repo} ---"
 
   # Check 1: Protection rule exists
+  # shellcheck disable=SC2329
   check_protection_exists() {
     gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}" >/dev/null
   }
   run_check "Branch protection exists for '${PROTECTED_BRANCH}' on ${repo}" check_protection_exists "$repo"
 
   # Check 2: Push is blocked (enable_push should be false)
+  # shellcheck disable=SC2329
   check_push_blocked() {
     local protection
     protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/${repo}/branch_protections/${PROTECTED_BRANCH}")

phase8_cutover.sh

@@ -148,7 +148,7 @@ render_nginx_http_only() {
   export SSL_CERT_FULLPATH="/dev/null"
   export SSL_KEY_FULLPATH="/dev/null"
   render_template "${SCRIPT_DIR}/templates/nginx-gitea.conf.tpl" "$rendered" \
-    '${GITEA_DOMAIN} ${UNRAID_IP} ${UNRAID_GITEA_PORT} ${SSL_CERT_FULLPATH} ${SSL_KEY_FULLPATH}'
+    "\${GITEA_DOMAIN} \${UNRAID_IP} \${UNRAID_GITEA_PORT} \${SSL_CERT_FULLPATH} \${SSL_KEY_FULLPATH}"
 
   # Strip the HTTPS server block (everything between markers inclusive)
   sed '/# SSL_HTTPS_BLOCK_START/,/# SSL_HTTPS_BLOCK_END/d' "$rendered" > "$tmpfile"
@@ -166,10 +166,11 @@ render_nginx_https() {
   export SSL_CERT_FULLPATH="$cert_path"
   export SSL_KEY_FULLPATH="$key_path"
   render_template "${SCRIPT_DIR}/templates/nginx-gitea.conf.tpl" "$rendered" \
-    '${GITEA_DOMAIN} ${UNRAID_IP} ${UNRAID_GITEA_PORT} ${SSL_CERT_FULLPATH} ${SSL_KEY_FULLPATH}'
+    "\${GITEA_DOMAIN} \${UNRAID_IP} \${UNRAID_GITEA_PORT} \${SSL_CERT_FULLPATH} \${SSL_KEY_FULLPATH}"
 
   # Replace the redirect block content with a 301 redirect to HTTPS
   # The block between markers gets replaced with just the redirect
+  # shellcheck disable=SC2016
   sed '/# SSL_REDIRECT_BLOCK_START/,/# SSL_REDIRECT_BLOCK_END/{
     /# SSL_REDIRECT_BLOCK_START/!{/# SSL_REDIRECT_BLOCK_END/!d;}
     /# SSL_REDIRECT_BLOCK_START/a\

phase8_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase8_post_check.sh — Verify Phase 8 (Cutover) succeeded
@@ -41,6 +42,7 @@ run_check "HTTPS returns 200 at https://${GITEA_DOMAIN}" \
   curl -sf -o /dev/null "https://${GITEA_DOMAIN}/api/v1/version"
 
 # Check 2: HTTP redirects to HTTPS (returns 301)
+# shellcheck disable=SC2329
 check_redirect() {
   local http_code
   http_code=$(curl -sI -o /dev/null -w "%{http_code}" "http://${GITEA_DOMAIN}/")
@@ -49,6 +51,7 @@ check_redirect() {
 run_check "HTTP → HTTPS redirect (301)" check_redirect
 
 # Check 3: SSL certificate is valid (not self-signed)
+# shellcheck disable=SC2329
 check_ssl_cert() {
   # Verify openssl can connect and the cert is issued by a recognized CA
   local issuer
@@ -66,6 +69,7 @@ done
 
 # Check 5: GitHub repos are marked as offsite backup
 for repo in "${REPOS[@]}"; do
+  # shellcheck disable=SC2329
   check_mirror_marked() {
     local desc
     desc=$(github_api GET "/repos/${GITHUB_USERNAME}/$1" | jq -r '.description // ""')

phase9_post_check.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # phase9_post_check.sh — Verify Phase 9 (Security Scanning) succeeded
@@ -38,6 +39,7 @@ for repo in "${REPOS[@]}"; do
   log_info "--- Checking repo: ${repo} ---"
 
   # Check 1: security-scan.yml exists
+  # shellcheck disable=SC2329
   check_workflow_exists() {
     gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/contents/.gitea/workflows/security-scan.yml" >/dev/null
   }
@@ -45,6 +47,7 @@ for repo in "${REPOS[@]}"; do
 
   # Check 2: Branch protection includes security checks (if required)
   if [[ "$SECURITY_FAIL_ON_ERROR" == "true" ]]; then
+    # shellcheck disable=SC2329
     check_status_checks() {
       local protection
       protection=$(gitea_api GET "/repos/${GITEA_ORG_NAME}/$1/branch_protections/${PROTECTED_BRANCH}")

phase9_security.sh

@@ -58,7 +58,7 @@ for repo in "${REPOS[@]}"; do
   rm -rf "$CLONE_DIR"
   mkdir -p "$CLONE_DIR"
 
-  CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|")
+  CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}"
   log_info "Cloning ${repo}..."
   git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR"
 
@@ -72,7 +72,7 @@ for repo in "${REPOS[@]}"; do
   export SEMGREP_VERSION TRIVY_VERSION GITLEAKS_VERSION PROTECTED_BRANCH
   render_template "${SCRIPT_DIR}/templates/workflows/security-scan.yml.tpl" \
     "${CLONE_DIR}/.gitea/workflows/security-scan.yml" \
-    '${PROTECTED_BRANCH} ${SEMGREP_VERSION} ${TRIVY_VERSION} ${GITLEAKS_VERSION}'
+    "\${PROTECTED_BRANCH} \${SEMGREP_VERSION} \${TRIVY_VERSION} \${GITLEAKS_VERSION}"
 
   # -------------------------------------------------------------------------
   # Step 3: Commit and push

phase9_teardown.sh

@@ -46,7 +46,7 @@ for repo in "${REPOS[@]}"; do
   CLONE_DIR="${TEMP_BASE}/${repo}"
   rm -rf "$CLONE_DIR"
 
-  CLONE_URL=$(echo "${GITEA_INTERNAL_URL}" | sed "s|://|://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@|")
+  CLONE_URL="${GITEA_INTERNAL_URL%%://*}://${GITEA_ADMIN_USER}:${GITEA_ADMIN_TOKEN}@${GITEA_INTERNAL_URL#*://}"
   git clone -q "${CLONE_URL}/${GITEA_ORG_NAME}/${repo}.git" "$CLONE_DIR"
 
   if [[ -f "${CLONE_DIR}/.gitea/workflows/security-scan.yml" ]]; then

preflight.sh

@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+# shellcheck disable=SC2329
 
 # =============================================================================
 # preflight.sh — Validate everything before running migration phases
@@ -75,6 +76,7 @@ check_fedora_os() {
 # ---------------------------------------------------------------------------
 # Check 4: .env exists
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_env_exists() {
   [[ -f "${SCRIPT_DIR}/.env" ]]
 }
@@ -88,6 +90,7 @@ fi
 # ---------------------------------------------------------------------------
 # Check 5: runners.conf exists
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_runners_conf() {
   [[ -f "${SCRIPT_DIR}/runners.conf" ]]
 }
@@ -119,6 +122,7 @@ REQUIRED_VARS=(
   NGINX_CONTAINER_NAME NGINX_CONF_PATH SSL_MODE
 )
 
+# shellcheck disable=SC2329
 check_required_vars() {
   local missing=0
   for var in "${REQUIRED_VARS[@]}"; do
@@ -154,13 +158,14 @@ check_required_vars() {
       ;;
   esac
 
-  return $missing
+  return "$missing"
 }
 check 6 "All required .env vars are set" check_required_vars
 
 # ---------------------------------------------------------------------------
 # Check 7: SSH to Unraid
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_ssh_unraid() {
   ssh_check UNRAID
 }
@@ -172,6 +177,7 @@ fi
 # ---------------------------------------------------------------------------
 # Check 8: SSH to Fedora
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_ssh_fedora() {
   ssh_check FEDORA
 }
@@ -298,6 +304,7 @@ fi
 # ---------------------------------------------------------------------------
 # Check 17: GitHub repos exist
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_github_repos() {
   local all_ok=0
   for var in REPO_1_NAME REPO_2_NAME REPO_3_NAME; do
@@ -310,7 +317,7 @@ check_github_repos() {
       all_ok=1
     fi
   done
-  return $all_ok
+  return "$all_ok"
 }
 check 17 "All GitHub repos exist" check_github_repos
 
@@ -342,36 +349,39 @@ fi
 # Check 20: Local tool minimum versions
 # Validates that tools on the MacBook meet minimum requirements.
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_local_versions() {
   local fail=0
   check_min_version "jq"        "jq --version"        "1.6"    || fail=1
   check_min_version "curl"      "curl --version"      "7.70"   || fail=1
   check_min_version "git"       "git --version"       "2.30"   || fail=1
-  return $fail
+  return "$fail"
 }
 check 20 "Local tool minimum versions (jq>=1.6, curl>=7.70, git>=2.30)" check_local_versions
 
 # ---------------------------------------------------------------------------
 # Check 21: Unraid tool minimum versions
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_unraid_versions() {
   local fail=0
   check_remote_min_version "UNRAID" "docker"        "docker --version"        "20.0" || fail=1
   check_remote_min_version "UNRAID" "docker-compose" "docker compose version 2>/dev/null || docker-compose --version" "2.0" || fail=1
   check_remote_min_version "UNRAID" "jq"            "jq --version"            "1.6"  || fail=1
-  return $fail
+  return "$fail"
 }
 check 21 "Unraid tool minimum versions (docker>=20, compose>=2, jq>=1.6)" check_unraid_versions
 
 # ---------------------------------------------------------------------------
 # Check 22: Fedora tool minimum versions
 # ---------------------------------------------------------------------------
+# shellcheck disable=SC2329
 check_fedora_versions() {
   local fail=0
   check_remote_min_version "FEDORA" "docker"        "docker --version"        "20.0" || fail=1
   check_remote_min_version "FEDORA" "docker-compose" "docker compose version"  "2.0"  || fail=1
   check_remote_min_version "FEDORA" "jq"            "jq --version"            "1.6"  || fail=1
-  return $fail
+  return "$fail"
 }
 check 22 "Fedora tool minimum versions (docker>=20, compose>=2, jq>=1.6)" check_fedora_versions
 

setup/cleanup.sh

@@ -16,6 +16,8 @@ set -euo pipefail
 # =============================================================================
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=../lib/common.sh
+# shellcheck disable=SC1091
 source "${SCRIPT_DIR}/../lib/common.sh"
 
 load_env || true  # Best effort — .env may already be gone during full cleanup

setup/cross_host_ssh.sh

@@ -14,6 +14,8 @@ set -euo pipefail
 # =============================================================================
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=../lib/common.sh
+# shellcheck disable=SC1091
 source "${SCRIPT_DIR}/../lib/common.sh"
 
 load_env

setup/fedora.sh

@@ -6,6 +6,8 @@ set -euo pipefail
 # =============================================================================
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=../lib/common.sh
+# shellcheck disable=SC1091
 source "${SCRIPT_DIR}/../lib/common.sh"
 
 load_env

setup/macbook.sh

@@ -6,6 +6,8 @@ set -euo pipefail
 # =============================================================================
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=../lib/common.sh
+# shellcheck disable=SC1091
 source "${SCRIPT_DIR}/../lib/common.sh"
 
 log_info "=== MacBook Setup ==="

setup/unraid.sh

@@ -6,6 +6,8 @@ set -euo pipefail
 # =============================================================================
 
 SCRIPT_DIR="$(cd "$(dirname "$0")" && pwd)"
+# shellcheck source=../lib/common.sh
+# shellcheck disable=SC1091
 source "${SCRIPT_DIR}/../lib/common.sh"
 
 load_env