Add shellcheck job to post lint workflow_run

robobario · robobario · commit 3015f5909a10 · 2025-12-02T16:22:07.000+13:00
Signed-off-by: Robert Young &lt;robertyoungnz@gmail.com&gt;
diff --git a/.github/workflows/sonar.yaml b/.github/workflows/sonar.yaml
@@ -9,7 +9,66 @@ concurrency:
   group: ${{ github.workflow }}-${{ github.event.workflow_run.head_branch }}
   cancel-in-progress: true
 
+permissions:
+  contents: read
+  pull-requests: write
+  checks: write
+
 jobs:
+  Shellcheck:
+    runs-on: ubuntu-latest
+    if: github.event.workflow_run && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
+    steps:
+      - name: echo event
+        run: cat $GITHUB_EVENT_PATH
+      - name: Download PR number artifact
+        uses: dawidd6/action-download-artifact@ac66b43f0e6a346234dd65d4d0c8fbb31cb316e5
+        with:
+          workflow: Build
+          run_id: ${{ github.event.workflow_run.id }}
+          name: PR_NUMBER
+      - name: Read PR_NUMBER.txt
+        id: pr_number
+        uses: juliangruber/read-file-action@b549046febe0fe86f8cb4f93c24e284433f9ab58
+        with:
+          path: ./PR_NUMBER.txt
+      - name: Request GitHub API for PR data
+        uses: octokit/request-action@05a2312de9f8207044c4c9e41fe19703986acc13
+        id: get_pr_data
+        with:
+          route: GET /repos/{full_name}/pulls/{number}
+          number: ${{ steps.pr_number.outputs.content }}
+          full_name: ${{ github.event.repository.full_name }}
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+      - uses: actions/checkout@v6
+        with:
+          repository: ${{ github.event.workflow_run.head_repository.full_name }}
+          ref: ${{ github.event.workflow_run.head_branch }}
+          fetch-depth: 0
+      - name: Checkout base branch
+        env:
+          HEAD_BRANCH: ${{ github.event.workflow_run.head_branch }}
+        run: |
+          git remote add upstream ${{ github.event.repository.clone_url }}
+          git fetch upstream
+          git checkout -B ${{ fromJson(steps.get_pr_data.outputs.data).base.ref }} upstream/${{ fromJson(steps.get_pr_data.outputs.data).base.ref }}
+          git checkout "${HEAD_BRANCH}"
+          git clean -ffdx && git reset --hard HEAD
+      - name: shellcheck
+        uses: reviewdog/action-shellcheck@4c07458293ac342d477251099501a718ae5ef86e
+        with:
+          github_token: ${{ secrets.GITHUB_TOKEN }}
+          reporter: github-pr-review # Change reporter.
+          path: "." # Optional.
+          pattern: "*.sh" # Optional.
+          level: "error"
+          fail_level: "error"
+          exclude: |
+            "./.git/*" 
+            "**/target"
+          check_all_files_with_shebangs: "false" # Optional.
+          shellcheck_flags: "--external-sources --severity=error"
   Sonar:
     runs-on: ubuntu-latest
     if: github.event.workflow_run && github.event.workflow_run.conclusion == 'success' && github.event.workflow_run.event == 'pull_request'
