ci(gh-actions): bash strict mode

Author: thomasleplus

.github/workflows/apk-check-versions.yml

@@ -14,4 +14,7 @@ jobs:
     steps:
       - name: Check the versions
         shell: bash
-        run: docker run --pull always -t --user root --entrypoint /bin/sh "leplusorg/${GITHUB_REPOSITORY#*/docker-}:main" -c 'apk update && apk -u list | tee -a /dev/stderr | grep -q -e . && exit 1'
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          docker run --pull always -t --user root --entrypoint /bin/sh "leplusorg/${GITHUB_REPOSITORY#*/docker-}:main" -c 'if apk update && apk -u list | tee -a /dev/stderr | grep -q -e .; then exit 1; fi'

.github/workflows/automerge.yml

@@ -15,6 +15,8 @@ jobs:
       - name: Enable auto-merge for Dependabot PRs
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           # Checking the PR title is a poor substitute for the actual PR changes
           # but as long as this is used only with dependabot PRs,
           # it should be safe to assume that the title is not misleading.

.github/workflows/check-pr.yml

@@ -12,6 +12,8 @@ jobs:
       - name: Check commits
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           # Check the commits
           commits_json=$(curl -fsSL -H "Authorization: token ${GITHUB_TOKEN}" "${PR_COMMITS_URL}")
           echo -n 'Commits: '
@@ -40,6 +42,8 @@ jobs:
       - name: Update PR labels
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           # Check PR title is a conventional commit message
           regexp='^((build|chore|ci|docs|feat|fix|perf|refactor|style|test)(\([a-zA-Z0-9\-]+\))?)!?: .*$'
           if ! [[ "${PR_TITLE}" =~ ${regexp} ]] ; then

.github/workflows/docker-build-push.yml

@@ -19,10 +19,16 @@ jobs:
     steps:
       - name: Set IMAGE
         shell: bash
-        run: echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'	
+          echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Set SOURCE_DATE_EPOCH
-        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'	
+          echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
       - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -37,7 +43,10 @@ jobs:
       - name: Test the Docker image
         working-directory: ${{ env.IMAGE }}
         shell: bash
-        run: docker compose -f docker-compose.test.yml run sut
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          docker compose -f docker-compose.test.yml run sut
       - uses: docker/login-action@184bdaa0721073962dff0199f1fb9940f07167d1 # v3.5.0
         if: github.ref == 'refs/heads/main'
         with:
@@ -64,16 +73,19 @@ jobs:
           TAGS: ${{ steps.meta.outputs.tags }}
         shell: bash
         run: |
-          images=""
+          set -euo pipefail
+          IFS=$'\n\t'
+          images=()
           for tag in ${TAGS}; do
-            images+="${tag}@${DIGEST} "
+            images+=("${tag}@${DIGEST}")
           done
-          # shellcheck disable=SC2086
-          cosign sign --recursive --yes ${images}
+          cosign sign --recursive --yes "${images[@]}"
       - name: Set VERSION
         if: github.ref == 'refs/heads/main'
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           # shellcheck disable=SC2086
           VERSION="$(\grep ${IMAGE}/Dockerfile -e '^FROM' | \head -n 1 | \sed -e 's/@.*$//; s/^.*://;')"
           if [[ "${VERSION}" =~ ^[0-9]+\.[0-9]+\.[0-9]+$ ]] ; then

.github/workflows/docker-release.yml

@@ -16,10 +16,16 @@ jobs:
     steps:
       - name: Set IMAGE
         shell: bash
-        run: echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'	
+          echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Set SOURCE_DATE_EPOCH
-        run: echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'	
+          echo "SOURCE_DATE_EPOCH=$(git log -1 --pretty=%ct)" >> "${GITHUB_ENV}"
       - uses: docker/setup-qemu-action@29109295f81e9208d7d86ff1c6c12d2833863392 # v3.6.0
       - uses: docker/setup-buildx-action@e468171a9de216ec08956ac3ada2f0791b6bd435 # v3.11.1
       - uses: docker/metadata-action@c1e51972afc2121e065aed6d45c65596fe445f3f # v5.8.0
@@ -57,6 +63,8 @@ jobs:
           TAGS: ${{ steps.meta.outputs.tags }}
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           images=""
           for tag in ${TAGS}; do
             images+="${tag}@${DIGEST} "

.github/workflows/dockerhub.yml

@@ -20,17 +20,28 @@ jobs:
     steps:
       - name: Set IMAGE
         shell: bash
-        run: echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'	
+          echo "IMAGE=${GITHUB_REPOSITORY#*/docker-}" >> "${GITHUB_ENV}"
       - uses: actions/checkout@08c6903cd8c0fde910a37f88322edcfb5dd907a8 # v5.0.0
       - name: Pull the ${{ matrix.tag }} ${{ matrix.platform }} image
         shell: bash
-        run: docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          docker pull --platform "${{ matrix.platform }}" "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}"
       - name: Pull the ${{ matrix.tag }} ${{ matrix.platform }} image SBOM
         shell: bash
-        run: docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}"
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          docker buildx imagetools inspect "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}" --format "{{ json (index .SBOM \"${{ matrix.platform }}\").SPDX }}"
       - name: Install cosign
         uses: sigstore/cosign-installer@d58896d6a1865668819e1d91763c7751a165e159 # v3.9.2
       - name: Verify the ${{ matrix.tag }} image signature
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           cosign verify "${GITHUB_REPOSITORY_OWNER}/${IMAGE}:${{ matrix.tag }}" --certificate-identity-regexp "https://github\.com/${GITHUB_REPOSITORY}/\.github/workflows/.+" --certificate-oidc-issuer 'https://token.actions.githubusercontent.com'

.github/workflows/npm-check-versions.yml

@@ -15,4 +15,6 @@ jobs:
       - name: Check the versions
         shell: bash
         run: |
+          set -euo pipefail
+          IFS=$'\n\t'
           docker run --pull always -t --user root "leplusorg/${GITHUB_REPOSITORY#*/docker-}:main" npm outdated --global

.github/workflows/pipx-check-versions.yml

@@ -14,4 +14,7 @@ jobs:
     steps:
       - name: Check the versions
         shell: bash
-        run: docker run --pull always -t --user root --entrypoint /bin/sh "leplusorg/${GITHUB_REPOSITORY#*/docker-}:main" -c 'pipx upgrade-all --global | tee -a /dev/stderr | grep -q -e . && exit 1'
+        run: |
+          set -euo pipefail
+          IFS=$'\n\t'
+          docker run --pull always -t --user root --entrypoint /bin/sh "leplusorg/${GITHUB_REPOSITORY#*/docker-}:main" -c 'if sudo pipx upgrade-all --global | tee -a /dev/stderr | grep -q -e .; then exit 1; fi'

json/Dockerfile

@@ -33,6 +33,7 @@ RUN pipx ensurepath --global \
     json2yaml==1.2.0
 
 RUN npm install -g \
+    [email protected] \
     [email protected] \
     [email protected] \
     [email protected]

json/docker-compose.test.yml

@@ -16,6 +16,7 @@ services:
         git --version # git
         jq --version # jq
         json2yaml --version # json2yaml
+        jslint --version # jsonlint
         jsonlint --help # jsonlint
         npm --version # npm
         openssl --version # openssl