Merge pull request #4670 from kolyshkin/shell-spring-cleaning

kolyshkin · web-flow · commit fde084208340 · 2025-03-14T17:49:23.000-07:00
Shell spring cleaning
diff --git a/.cirrus.yml b/.cirrus.yml
@@ -12,7 +12,7 @@ task:
     HOME: /root
     CIRRUS_WORKING_DIR: /home/runc
     GO_VER_PREFIX: "1.24."
-    BATS_VERSION: "v1.9.0"
+    BATS_VERSION: "v1.11.0"
     RPMS: gcc git-core iptables jq glibc-static libseccomp-devel make criu fuse-sshfs container-selinux
     # yamllint disable rule:key-duplicates
     matrix:
diff --git a/.github/workflows/validate.yml b/.github/workflows/validate.yml
@@ -108,9 +108,9 @@ jobs:
       - uses: actions/checkout@v4
       - name: install shellcheck
         env:
-          VERSION: v0.9.0
+          VERSION: v0.10.0
           BASEURL: https://github.com/koalaman/shellcheck/releases/download
-          SHA256: 7087178d54de6652b404c306233264463cb9e7a9afeb259bb663cc4dbfd64149
+          SHA256: f35ae15a4677945428bdfe61ccc297490d89dd1e544cc06317102637638c6deb
         run: |
           mkdir ~/bin
           curl -sSfL --retry 5 $BASEURL/$VERSION/shellcheck-$VERSION.linux.x86_64.tar.xz |
diff --git a/Dockerfile b/Dockerfile
@@ -1,5 +1,5 @@
 ARG GO_VERSION=1.23
-ARG BATS_VERSION=v1.9.0
+ARG BATS_VERSION=v1.11.0
 ARG LIBSECCOMP_VERSION=2.5.6
 
 FROM golang:${GO_VERSION}-bookworm
diff --git a/Makefile b/Makefile
@@ -221,7 +221,7 @@ shellcheck:
 shfmt:
 	$(CONTAINER_ENGINE) run $(CONTAINER_ENGINE_RUN_FLAGS) \
 		--rm -v $(CURDIR):/src -w /src \
-		mvdan/shfmt:v3.5.1 -d -w .
+		mvdan/shfmt:v3.11.0 -d -w .
 
 .PHONY: localshfmt
 localshfmt:
diff --git a/script/setup_host_fedora.sh b/script/setup_host_fedora.sh
@@ -1,12 +1,11 @@
 #!/bin/bash
 set -eux -o pipefail
-DNF_OPTS="-y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude=kernel,kernel-core"
-RPMS="bats git-core glibc-static golang jq libseccomp-devel make"
+DNF=(dnf -y --setopt=install_weak_deps=False --setopt=tsflags=nodocs --exclude="kernel,kernel-core")
+RPMS=(bats git-core glibc-static golang jq libseccomp-devel make)
 # Work around dnf mirror failures by retrying a few times.
 for i in $(seq 0 2); do
 	sleep "$i"
-	# shellcheck disable=SC2086
-	dnf $DNF_OPTS update && dnf $DNF_OPTS install $RPMS && break
+	"${DNF[@]}" update && "${DNF[@]}" install "${RPMS[@]}" && break
 done
 dnf clean all
 
@@ -18,8 +17,7 @@ useradd -u2000 -m -d/home/rootless -s/bin/bash rootless
 
 # Allow root and rootless itself to execute `ssh rootless@localhost` in tests/rootless.sh
 ssh-keygen -t ecdsa -N "" -f /root/rootless.key
-# shellcheck disable=SC2174
-mkdir -m 0700 -p /home/rootless/.ssh
+mkdir -m 0700 /home/rootless/.ssh
 cp /root/rootless.key /home/rootless/.ssh/id_ecdsa
 cat /root/rootless.key.pub >>/home/rootless/.ssh/authorized_keys
 chown -R rootless.rootless /home/rootless
diff --git a/tests/integration/hooks.bats b/tests/integration/hooks.bats
@@ -21,7 +21,6 @@ function teardown() {
 @test "runc create [hook fails]" {
 	for hook in prestart createRuntime createContainer; do
 		echo "testing hook $hook"
-		# shellcheck disable=SC2016
 		update_config '.hooks |= {"'$hook'": [{"path": "/bin/true"}, {"path": "/bin/false"}]}'
 		runc create --console-socket "$CONSOLE_SOCKET" test_hooks
 		[ "$status" -ne 0 ]
@@ -34,7 +33,6 @@ function teardown() {
 	# All hooks except Poststop.
 	for hook in prestart createRuntime createContainer startContainer poststart; do
 		echo "testing hook $hook"
-		# shellcheck disable=SC2016
 		update_config '.hooks |= {"'$hook'": [{"path": "/bin/true"}, {"path": "/bin/false"}]}'
 		runc run "test_hook-$hook"
 		[[ "$output" != "Hello World" ]]
diff --git a/tests/integration/run.bats b/tests/integration/run.bats
@@ -84,7 +84,6 @@ function teardown() {
 	chmod 'a=rwx,ug+s,+t' rootfs/tmp # set all bits
 	mode=$(stat -c %A rootfs/tmp)
 
-	# shellcheck disable=SC2016
 	update_config '.process.args = ["sh", "-c", "stat -c %A /tmp"]'
 	update_config '.mounts += [{"destination": "/tmp", "type": "tmpfs", "source": "tmpfs", "options":["noexec","nosuid","nodev","rprivate"]}]'
 
@@ -94,7 +93,6 @@ function teardown() {
 }
 
 @test "runc run with tmpfs perms" {
-	# shellcheck disable=SC2016
 	update_config '.process.args = ["sh", "-c", "stat -c %a /tmp/test"]'
 	update_config '.mounts += [{"destination": "/tmp/test", "type": "tmpfs", "source": "tmpfs", "options": ["mode=0444"]}]'
 
@@ -113,14 +111,12 @@ function teardown() {
 	# so it should use the directory's perms.
 	update_config '.mounts[-1].options = []'
 	chmod 0710 rootfs/tmp/test
-	# shellcheck disable=SC2016
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
 	[ "${lines[0]}" = "710" ]
 
 	# Add back the mode on the mount, and it should use that instead.
 	# Just for fun, use different perms than was used earlier.
-	# shellcheck disable=SC2016
 	update_config '.mounts[-1].options = ["mode=0410"]'
 	runc run test_tmpfs
 	[ "$status" -eq 0 ]
diff --git a/tests/integration/seccomp-notify.bats b/tests/integration/seccomp-notify.bats
@@ -183,7 +183,7 @@ function scmp_act_notify_template() {
 @test "runc run [seccomp] (SCMP_ACT_NOTIFY startContainer hook)" {
 	# shellcheck disable=SC2016
 	# We use single quotes to properly delimit the $1 param to
-	# update_config(), but this shellshcheck is quite silly and fails if the
+	# update_config(), but shellcheck is quite silly and fails if the
 	# multi-line string includes some $var (even when it is properly outside of the
 	# single quotes) or when we use this syntax to execute commands in the
 	# string: $(command).
diff --git a/tests/integration/tty.bats b/tests/integration/tty.bats
@@ -123,7 +123,6 @@ function teardown() {
 
 	# replace "uid": 0 with "uid": 1000
 	# and do a similar thing for gid.
-	# shellcheck disable=SC2016
 	update_config ' (.. | select(.uid? == 0)) .uid |= 1000
 			| (.. | select(.gid? == 0)) .gid |= 100'
 
