build: add shellcheck pre-commit hook (#1130)

behnazh-w · web-flow · commit 006c42aa87ef · 2025-07-22T12:13:11.000+10:00
Signed-off-by: behnazh-w &lt;behnaz.hassanshahi@oracle.com&gt;
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -76,6 +76,13 @@ repos:
   hooks:
   - id: actionlint
 
+# Check shell scripts with shellcheck.
+- repo: https://github.com/shellcheck-py/shellcheck-py
+  rev: v0.10.0.1
+  hooks:
+  - id: shellcheck
+    exclude: ^tests/
+
 # Run Pylint from the local repo to make sure venv packages
 # specified in pyproject.toml are available.
 - repo: local
diff --git a/golang/internal/bashparser/resources/valid.sh b/golang/internal/bashparser/resources/valid.sh
@@ -1,7 +1,7 @@
-# Copyright (c) 2022 - 2022, Oracle and/or its affiliates. All rights reserved.
-# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
+#!/bin/bash
 
-#! bin/bash
+# Copyright (c) 2022 - 2025, Oracle and/or its affiliates. All rights reserved.
+# Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 set -euo pipefail
 if [[ "$COMPILE_BUILDER" = true ]]; then
diff --git a/scripts/release_scripts/check_vsa.sh b/scripts/release_scripts/check_vsa.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2024 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2024 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This script checks the Verification Summary Attestation generated by Macaron.
@@ -111,15 +111,15 @@ fi
 
 # Check the purl and obtain the matching subject.
 if [[ -n "${purl:-}" ]]; then
-    subject_digest=$(cat "$arg_vsa_path" | jq -r ".payload" | base64 -d | jq -r ".subject[] | select(.uri == \"$purl\") | .digest.sha256")
+    subject_digest=$(jq -r '.payload' < "$arg_vsa_path" | base64 -d | jq -r ".subject[] | select(.uri == \"$purl\") | .digest.sha256")
 else
     log_err "Please provide the package URL."
     print_help
     exit 1
 fi
 
-verify_result=$(cat "$arg_vsa_path" | jq -r ".payload" | base64 -d | jq -r ".predicate.verificationResult")
-verifier=$(cat "$arg_vsa_path" | jq -r ".payload" | base64 -d | jq -r ".predicate.verifier.id")
+verify_result=$(jq -r ".payload" < "$arg_vsa_path" | base64 -d | jq -r ".predicate.verificationResult")
+verifier=$(jq -r ".payload" < "$arg_vsa_path" | base64 -d | jq -r ".predicate.verifier.id")
 
 
 # Check if the subject and artifact digests match.
diff --git a/scripts/release_scripts/run_macaron.sh b/scripts/release_scripts/run_macaron.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env bash
 
-# Copyright (c) 2023 - 2024, Oracle and/or its affiliates. All rights reserved.
+# Copyright (c) 2023 - 2025, Oracle and/or its affiliates. All rights reserved.
 # Licensed under the Universal Permissive License v 1.0 as shown at https://oss.oracle.com/licenses/upl/.
 
 # This script runs the Macaron Docker image.
@@ -231,6 +231,10 @@ function mount_dir_rw_allow_create() {
 #   $1: The macaron argument from which the directory is passed into this script.
 #   $2: The path to the directory on the host.
 #   $3: The path to the directory inside the container.
+#
+# Note: This function is currently unused but retained to avoid using `_mount_dir`
+# if not necessary, which may have unintended side effects.
+# shellcheck disable=SC2317
 function mount_dir_rw_forbid_create() {
     arg_name=$1
     dir_on_host=$2
