chore: add prek with some inital checks - shellcheck and zizmor and apply suggested fixes

netomi · netomi · commit da0987fb2583 · 2026-01-10T21:33:33.000+01:00
diff --git a/.github/dependabot.yml b/.github/dependabot.yml
@@ -8,3 +8,5 @@ updates:
       github-actions:
         patterns:
           - "*"
+    cooldown:
+      default-days: 7
diff --git a/.github/workflows/playwright.yml b/.github/workflows/playwright.yml
@@ -15,6 +15,8 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8  # v6.0.1
+        with:
+          persist-credentials: false
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f  # v6.1.0
         with:
           node-version: 18.x
diff --git a/.github/workflows/publish-cli.yml b/.github/workflows/publish-cli.yml
@@ -65,6 +65,7 @@ jobs:
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: '24.x'
+          package-manager-cache: false
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install Yarn
diff --git a/.github/workflows/publish-webui.yml b/.github/workflows/publish-webui.yml
@@ -63,6 +63,7 @@ jobs:
       - uses: actions/setup-node@395ad3262231945c25e8478fd5baf05154b1d79f # v6.1.0
         with:
           node-version: '24.x'
+          package-manager-cache: false
           registry-url: 'https://registry.npmjs.org'
 
       - name: Install Yarn
diff --git a/.github/workflows/sonar.yml b/.github/workflows/sonar.yml
@@ -15,7 +15,7 @@ jobs:
       run: mkdir -p ${{ runner.temp }}/artifacts
     - name: Download PR number artifact
       if: github.event.workflow_run.event == 'pull_request'
-      uses: dawidd6/action-download-artifact@v12
+      uses: dawidd6/action-download-artifact@0bd50d53a6d7fb5cb921e607957e9cc12b4ce392 # v12
       with:
         workflow: CI
         run_id: ${{ github.event.workflow_run.id }}
@@ -42,6 +42,7 @@ jobs:
       with:
           repository: ${{ github.event.workflow_run.head_repository.full_name }}
           ref: ${{ github.event.workflow_run.head_branch }}
+          persist-credentials: false
           fetch-depth: 0
     - name: Checkout head branch of pull_request
       if: github.event.workflow_run.event == 'pull_request'
diff --git a/.github/zizmor.yml b/.github/zizmor.yml
@@ -0,0 +1,7 @@
+rules:
+  dangerous-triggers:
+    ignore:
+      - sonar.yml
+  template-injection:
+    ignore:
+      - sonar.yml
diff --git a/.pre-commit-config.yaml b/.pre-commit-config.yaml
@@ -0,0 +1,29 @@
+repos:
+#- repo: https://github.com/pre-commit/pre-commit-hooks
+#  rev: v6.0.0
+#  hooks:
+#    - id: check-yaml
+#    - id: end-of-file-fixer
+#    - id: mixed-line-ending
+#    - id: trailing-whitespace
+#- repo: https://github.com/Lucas-C/pre-commit-hooks
+#  rev: v1.5.5
+#  hooks:
+#    - id: insert-license
+#      name: Add license for all Java files
+#      files: ^server/.*\.java$
+#      args:
+#        - --comment-style
+#        - "/*| *| */"
+#        - --license-filepath
+#        - LICENSE-template.txt
+#        - --fuzzy-match-generates-todo
+- repo: https://github.com/shellcheck-py/shellcheck-py
+  rev: v0.11.0.1
+  hooks:
+  -   id: shellcheck
+- repo: https://github.com/woodruffw/zizmor-pre-commit
+  rev: v1.20.0
+  hooks:
+    - id: zizmor
+      args: [ --min-severity, low ]
diff --git a/deploy/docker/build.sh b/deploy/docker/build.sh
@@ -1,4 +1,6 @@
-#/bin/bash
+#!/bin/bash
 
-export OPENVSX_VERSION=`curl -sSL https://api.github.com/repos/eclipse/openvsx/releases/latest | jq -r ".tag_name"`
-sudo docker build -t "openvsx:$OPENVSX_VERSION" --build-arg "OPENVSX_VERSION=$OPENVSX_VERSION" .
+OPENVSX_VERSION=$(curl -sSL https://api.github.com/repos/eclipse/openvsx/releases/latest | jq -r ".tag_name")
+export OPENVSX_VERSION
+
+sudo docker build -t "openvsx:$OPENVSX_VERSION" --build-arg "OPENVSX_VERSION=$OPENVSX_VERSION" .
diff --git a/server/scripts/callback-url.sh b/server/scripts/callback-url.sh
@@ -3,7 +3,7 @@
 # This script prints the callback URL for the provider given as argument, e.g. github
 if command -v gp > /dev/null
 then
-    echo "`gp url 8080 | sed s/https:/http:/`/login/oauth2/code/$1"
+    echo "$(gp url 8080 | sed s/https:/http:/)/login/oauth2/code/$1"
 else
     echo "http://localhost:8080/login/oauth2/code/$1"
 fi
diff --git a/server/scripts/dependencies-check.sh b/server/scripts/dependencies-check.sh
@@ -3,14 +3,14 @@
 # Clone and build license tool
 if [ ! -d "/workspace/dash-licenses" ] 
 then
-    cd /workspace
+    cd /workspace || exit
     git clone https://github.com/eclipse/dash-licenses.git
-    cd dash-licenses
+    cd dash-licenses || exit
     mvn package
 fi
 
 # Generate build/dependencies/list.txt
-cd /workspace/openvsx/server
+cd /workspace/openvsx/server || exit
 ./gradlew listDependencies
 
 # Generate DEPENDENCIES report
diff --git a/server/scripts/generate-properties.sh b/server/scripts/generate-properties.sh
@@ -10,90 +10,95 @@ fi
 export OVSX_APP_PROFILE=$PWD/src/dev/resources/application-ovsx.properties
 
 # Clear the content of the ovsx application profile
-echo "# Generated by scripts/generate-properties.sh" > $OVSX_APP_PROFILE
+echo "# Generated by scripts/generate-properties.sh" > "${OVSX_APP_PROFILE}"
 
 if [ "$INSIDE_DOCKER" = true ]
 then
-    # Set the Elasticsearch host
-    echo "ovsx.elasticsearch.host=elasticsearch:9200" >> $OVSX_APP_PROFILE
+    {
+        # Set the Elasticsearch host
+        echo "ovsx.elasticsearch.host=elasticsearch:9200"
 
-    # Set the Postgres host
-    echo "spring.datasource.url=jdbc:postgresql://postgres:5432/postgres" >> $OVSX_APP_PROFILE
-    echo "spring.datasource.username=openvsx" >> $OVSX_APP_PROFILE
-    echo "spring.datasource.password=openvsx" >> $OVSX_APP_PROFILE
+        # Set the Postgres host
+        echo "spring.datasource.url=jdbc:postgresql://postgres:5432/postgres"
+        echo "spring.datasource.username=openvsx"
+        echo "spring.datasource.password=openvsx"
+    } >> "${OVSX_APP_PROFILE}"
 else
     # Set the Elasticsearch host
-    echo "ovsx.elasticsearch.host=localhost:9200" >> $OVSX_APP_PROFILE
+    echo "ovsx.elasticsearch.host=localhost:9200" >> "${OVSX_APP_PROFILE}"
 fi
 
 # Set the web UI URL
 if command -v gp > /dev/null
 then
-    echo "Using web frontend in Gitpod: `gp url 3000`"
-    echo "ovsx.webui.url=`gp url 3000`" >> $OVSX_APP_PROFILE
+    echo "Using web frontend in Gitpod: $(gp url 3000)"
+    echo "ovsx.webui.url=$(gp url 3000)" >> "${OVSX_APP_PROFILE}"
 else
     echo "Using web frontend on local machine: http://localhost:3000"
-    echo "ovsx.webui.url=http://localhost:3000" >> $OVSX_APP_PROFILE
+    echo "ovsx.webui.url=http://localhost:3000" >> "${OVSX_APP_PROFILE}"
 fi
 
 # Set the GitHub OAuth client id and client secret
-echo "spring.security.oauth2.client.registration.github.client-id=${GITHUB_CLIENT_ID:-none}" >> $OVSX_APP_PROFILE
-echo "spring.security.oauth2.client.registration.github.client-secret=${GITHUB_CLIENT_SECRET:-none}" >> $OVSX_APP_PROFILE
+echo "spring.security.oauth2.client.registration.github.client-id=${GITHUB_CLIENT_ID:-none}" >> "${OVSX_APP_PROFILE}"
+echo "spring.security.oauth2.client.registration.github.client-secret=${GITHUB_CLIENT_SECRET:-none}" >> "${OVSX_APP_PROFILE}"
 if [ -n "$GITHUB_CLIENT_ID" ] && [ -n "$GITHUB_CLIENT_SECRET" ]
 then
     echo "GitHub OAuth is enabled."
 fi
 
 # Set the Eclipse OAuth client id and client secret
-echo "spring.security.oauth2.client.registration.eclipse.client-id=${ECLIPSE_CLIENT_ID:-none}" >> $OVSX_APP_PROFILE
-echo "spring.security.oauth2.client.registration.eclipse.client-secret=${ECLIPSE_CLIENT_SECRET:-none}" >> $OVSX_APP_PROFILE
+echo "spring.security.oauth2.client.registration.eclipse.client-id=${ECLIPSE_CLIENT_ID:-none}" >> "${OVSX_APP_PROFILE}"
+echo "spring.security.oauth2.client.registration.eclipse.client-secret=${ECLIPSE_CLIENT_SECRET:-none}" >> "${OVSX_APP_PROFILE}"
 if [ -n "$ECLIPSE_CLIENT_ID" ] && [ -n "$ECLIPSE_CLIENT_SECRET" ]
 then
-    echo "ovsx.eclipse.publisher-agreement.version=1" >> $OVSX_APP_PROFILE
-    echo "ovsx.publishing.require-license=true" >> $OVSX_APP_PROFILE
+    echo "ovsx.eclipse.publisher-agreement.version=1" >> "${OVSX_APP_PROFILE}"
+    echo "ovsx.publishing.require-license=true" >> "${OVSX_APP_PROFILE}"
     echo "Eclipse OAuth is enabled."
 fi
 
 # Set the Google Cloud Storage project id and bucket id
 if [ -n "$GCP_PROJECT_ID" ] && [ -n "$GCS_BUCKET_ID" ]
 then
-    echo "ovsx.storage.gcp.project-id=$GCP_PROJECT_ID" >> $OVSX_APP_PROFILE
-    echo "ovsx.storage.gcp.bucket-id=$GCS_BUCKET_ID" >> $OVSX_APP_PROFILE
+    echo "ovsx.storage.gcp.project-id=$GCP_PROJECT_ID" >> "${OVSX_APP_PROFILE}"
+    echo "ovsx.storage.gcp.bucket-id=$GCS_BUCKET_ID" >> "${OVSX_APP_PROFILE}"
     echo "Using Google Cloud Storage: https://storage.googleapis.com/$GCS_BUCKET_ID/"
 fi
 
 # Set the Azure Blob Storage service endpoint and sas token
 if [ -n "$AZURE_SERVICE_ENDPOINT" ] && [ -n "$AZURE_SAS_TOKEN" ]
 then
-    echo "ovsx.storage.azure.service-endpoint=$AZURE_SERVICE_ENDPOINT" >> $OVSX_APP_PROFILE
-    echo "ovsx.storage.azure.sas-token=$AZURE_SAS_TOKEN" >> $OVSX_APP_PROFILE
+    echo "ovsx.storage.azure.service-endpoint=$AZURE_SERVICE_ENDPOINT" >> "${OVSX_APP_PROFILE}"
+    echo "ovsx.storage.azure.sas-token=$AZURE_SAS_TOKEN" >> "${OVSX_APP_PROFILE}"
     echo "Using Azure Blob Storage: $AZURE_SERVICE_ENDPOINT"
 fi
 
 # Set the Azure Logs Storage service endpoint and sas token
 if [ -n "$AZURE_LOGS_SERVICE_ENDPOINT" ] && [ -n "$AZURE_LOGS_SAS_TOKEN" ]
 then
-    echo "ovsx.logs.azure.service-endpoint=$AZURE_LOGS_SERVICE_ENDPOINT" >> $OVSX_APP_PROFILE
-    echo "ovsx.logs.azure.sas-token=$AZURE_LOGS_SAS_TOKEN" >> $OVSX_APP_PROFILE
+    echo "ovsx.logs.azure.service-endpoint=$AZURE_LOGS_SERVICE_ENDPOINT" >> "${OVSX_APP_PROFILE}"
+    echo "ovsx.logs.azure.sas-token=$AZURE_LOGS_SAS_TOKEN" >> "${OVSX_APP_PROFILE}"
     echo "Using Azure Logs Storage: $AZURE_LOGS_SERVICE_ENDPOINT"
 fi
 
 # Set the AWS Storage service access key id, secret access key, region and endpoint
 if [ -n "$AWS_ACCESS_KEY_ID" ] && [ -n "$AWS_SECRET_ACCESS_KEY" ] && [ -n "$AWS_REGION" ] && [ -n "$AWS_BUCKET" ]
 then
-  echo "ovsx.storage.aws.access-key-id=$AWS_ACCESS_KEY_ID" >> $OVSX_APP_PROFILE
-  echo "ovsx.storage.aws.secret-access-key=$AWS_SECRET_ACCESS_KEY" >> $OVSX_APP_PROFILE
-  echo "ovsx.storage.aws.region=$AWS_REGION" >> $OVSX_APP_PROFILE
-  echo "ovsx.storage.aws.bucket=$AWS_BUCKET" >> $OVSX_APP_PROFILE
-  if [ -n "$AWS_PATH_STYLE_ACCESS" ]
-  then
-    echo "ovsx.storage.aws.path-style-access=$AWS_PATH_STYLE_ACCESS" >> $OVSX_APP_PROFILE
-  fi
-  if [ -n "$AWS_SERVICE_ENDPOINT" ]
-  then
-    echo "ovsx.storage.aws.service-endpoint=$AWS_SERVICE_ENDPOINT" >> $OVSX_APP_PROFILE
-    echo "Using AWS S3 Storage: $AWS_SERVICE_ENDPOINT"
-  else
-    echo "Using AWS S3 Storage."
-  fi
+    {
+        echo "ovsx.storage.aws.access-key-id=$AWS_ACCESS_KEY_ID"
+        echo "ovsx.storage.aws.secret-access-key=$AWS_SECRET_ACCESS_KEY"
+        echo "ovsx.storage.aws.region=$AWS_REGION"
+        echo "ovsx.storage.aws.bucket=$AWS_BUCKET"
+    } >> "${OVSX_APP_PROFILE}"
+
+    if [ -n "$AWS_PATH_STYLE_ACCESS" ]
+    then
+      echo "ovsx.storage.aws.path-style-access=$AWS_PATH_STYLE_ACCESS" >> "${OVSX_APP_PROFILE}"
+    fi
+    if [ -n "$AWS_SERVICE_ENDPOINT" ]
+    then
+      echo "ovsx.storage.aws.service-endpoint=$AWS_SERVICE_ENDPOINT" >> "${OVSX_APP_PROFILE}"
+      echo "Using AWS S3 Storage: $AWS_SERVICE_ENDPOINT"
+    else
+      echo "Using AWS S3 Storage."
+    fi
 fi
diff --git a/server/scripts/run-server.sh b/server/scripts/run-server.sh
@@ -1,6 +1,6 @@
 #!/bin/sh
 
 # This script is included in the Docker image to run the server application
-echo "JVM_ARGS: '$JVM_ARGS'"
+echo "JVM_ARGS: '${JVM_ARGS}'"
 
-exec java $JVM_ARGS -cp BOOT-INF/classes:BOOT-INF/lib/* org.eclipse.openvsx.RegistryApplication
+exec java "${JVM_ARGS}" -cp BOOT-INF/classes:BOOT-INF/lib/* org.eclipse.openvsx.RegistryApplication
diff --git a/server/src/gatling/scripts/fill-database.sh b/server/src/gatling/scripts/fill-database.sh
@@ -3,4 +3,4 @@
 cd ../../..
 ./gradlew --rerun-tasks gatlingRun-org.eclipse.openvsx.RegistryAPICreateNamespaceSimulation
 ./gradlew --rerun-tasks gatlingRun-org.eclipse.openvsx.RegistryAPIPublishExtensionSimulation
-cd src/gatling/scripts
+cd src/gatling/scripts || exit
diff --git a/server/src/gatling/scripts/test-registry-api.sh b/server/src/gatling/scripts/test-registry-api.sh
@@ -15,4 +15,4 @@ cd ../../..
 ./gradlew --rerun-tasks gatlingRun --simulation=org.eclipse.openvsx.RegistryAPIGetQueryV2Simulation
 ./gradlew --rerun-tasks gatlingRun --simulation=org.eclipse.openvsx.RegistryAPISearchSimulation
 ./gradlew --rerun-tasks gatlingRun --simulation=org.eclipse.openvsx.RegistryAPIVerifyTokenSimulation
-cd src/gatling/scripts
+cd src/gatling/scripts || exit
diff --git a/server/src/gatling/scripts/test-vscode-adapter.sh b/server/src/gatling/scripts/test-vscode-adapter.sh
@@ -6,4 +6,4 @@ cd ../../..
 ./gradlew --rerun-tasks gatlingRun --simulation=org.eclipse.openvsx.adapter.VSCodeAdapterItemSimulation
 ./gradlew --rerun-tasks gatlingRun --simulation=org.eclipse.openvsx.adapter.VSCodeAdapterUnpkgSimulation
 ./gradlew --rerun-tasks gatlingRun --simulation=org.eclipse.openvsx.adapter.VSCodeAdapterVspackageSimulation
-cd src/gatling/scripts
+cd src/gatling/scripts || exit
