Skip to content

Fix ShellCheck CI false positives and harden ShellCheck workflow permissions#93

Merged
lkocman merged 4 commits into
mainfrom
copilot/fix-shellcheck-failing-job
May 17, 2026
Merged

Fix ShellCheck CI false positives and harden ShellCheck workflow permissions#93
lkocman merged 4 commits into
mainfrom
copilot/fix-shellcheck-failing-job

Conversation

Copy link
Copy Markdown
Contributor

Copilot AI commented May 17, 2026
edited
Loading

The shellcheck GitHub Actions job failed on the main script due to static-analysis false positives around sourcing /etc/os-release. This change makes that sourcing explicit for linting and ensures referenced OS metadata variables are always defined in-script.

  • Lint-scope fix for external source

    • Added a targeted ShellCheck suppression directly on the /etc/os-release source line to handle CI lint context where the file is not part of analyzed inputs.
    • Kept an explicit ShellCheck source hint alongside the suppression during conflict resolution.

  • Defensive initialization of sourced vars

    • Initialized NAME and VERSION with default-empty fallbacks immediately after sourcing, removing SC2153 undefined-variable findings without changing runtime behavior.

  • Workflow security hardening

    • Added explicit minimal token permissions to the ShellCheck workflow:
      • permissions:
      • contents: read
    • This resolves the CodeQL Actions alert for missing workflow permissions.

  • Touched files

    • opensuse-migration-tool
    • .github/workflows/shellcheck.yml
# shellcheck disable=SC1091
# shellcheck source=/etc/os-release
source /etc/os-release
NAME=${NAME:-}
VERSION=${VERSION:-}

Copilot AI changed the title [WIP] Fix failing GitHub Actions job shellcheck Fix ShellCheck CI false positives for /etc/os-release variables May 17, 2026
Copilot AI requested a review from lkocman May 17, 2026 14:07
@lkocman
Copy link
Copy Markdown
Collaborator

lkocman commented May 17, 2026

@copilot resolve the merge conflicts in this pull request

@lkocman
Merge origin/main and resolve shellcheck conflict
43c1b23 
Co-authored-by: lkocman <510119+lkocman@users.noreply.github.com>
@lkocman lkocman marked this pull request as ready for review May 17, 2026 14:13
Copilot AI review requested due to automatic review settings May 17, 2026 14:13
Copy link
Copy Markdown
Contributor Author

Copilot AI commented May 17, 2026

@copilot resolve the merge conflicts in this pull request

Resolved and pushed. The merge conflicts were fixed in commit 43c1b23, and I also pushed a small follow-up CI security fix in 1350cf2.

@lkocman lkocman merged commit 20224f6 into main May 17, 2026
Copilot AI changed the title Fix ShellCheck CI false positives for /etc/os-release variables Fix ShellCheck CI false positives and harden ShellCheck workflow permissions May 17, 2026
Copilot stopped work on behalf of lkocman due to an error May 17, 2026 14:14
The session was cancelled by the user.
Copilot AI requested a review from lkocman May 17, 2026 14:14
Copilot AI reviewed May 17, 2026
View reviewed changes
Copy link
Copy Markdown
Contributor

Copilot AI left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

This PR addresses ShellCheck CI false positives around sourcing /etc/os-release and variables populated from it, while tightening workflow permissions.

Changes:

  • Suppresses ShellCheck’s external source warning for /etc/os-release.
  • Initializes NAME and VERSION after sourcing to satisfy static analysis.
  • Adds read-only repository contents permission to the ShellCheck workflow.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File Description
opensuse-migration-tool Updates ShellCheck handling for /etc/os-release-provided variables.
.github/workflows/shellcheck.yml Adds minimal contents: read permission for the workflow.

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

Copilot code review Copilot Copilot left review comments

@lkocman lkocman Awaiting requested review from lkocman

Assignees

@lkocman lkocman

Copilot code review Copilot

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@lkocman