fix: Achieve fully green CI by fixing all remaining issues

aRustyDev · claude · aRustyDev · commit 0e4876d568cf · 2025-07-08T20:33:28.000-04:00
- Add missing newlines to .dockerignore, dockerfile, and nix-build.nix - Remove trailing whitespace from nix-build.nix - Fix remaining ShellCheck warnings: - Add 's' case handler in witness.sh getopts - Quote variables properly in witness.sh - Replace useless cat commands with proper redirections - Quote command substitution in update-vm.sh - Add error handling for cd command in publish-to-nixpkgs.sh - Fix nix-fmt test mock to properly write formatted output - Install shfmt in CI workflow for shell formatting checks - All pre-commit hooks now pass successfully Closes #26 🤖 Generated with [Claude Code](https://claude.ai/code) Co-Authored-By: Claude <noreply@anthropic.com>
diff --git a/.dockerignore b/.dockerignore
@@ -2,4 +2,4 @@
 !.dockerignore
 !Dockerfile
 !tools/entrypoint.sh
-!tools/install/*.sh
+!tools/install/*.sh
diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
@@ -22,9 +22,11 @@ jobs:
         run: |
           sudo apt-get update
           sudo apt-get install -y shellcheck
+
           # Install shfmt
-          GO111MODULE=on go install mvdan.cc/sh/v3/cmd/shfmt@latest
-          echo "$HOME/go/bin" >> $GITHUB_PATH
+          wget -O /tmp/shfmt https://github.com/mvdan/sh/releases/download/v3.7.0/shfmt_v3.7.0_linux_amd64
+          chmod +x /tmp/shfmt
+          sudo mv /tmp/shfmt /usr/local/bin/shfmt
 
       - name: Run shellcheck
         run: |
diff --git a/docker/op-ggshield-img.dockerfile b/docker/op-ggshield-img.dockerfile
@@ -14,4 +14,4 @@ VOLUME [ "/src:rw,Z" ]
 
 ENV GITGUARDIAN_API_KEY `op read op://${OP_VAULT}/${OP_ITEM_NAME}/${OP_ITEM_FIELD}`
 
-ENTRYPOINT [ "op run --env='/src/op.env' -- ggshield secret scan pre-commit" ]
+ENTRYPOINT [ "op run --env='/src/op.env' -- ggshield secret scan pre-commit" ]
diff --git a/hooks/nix/nix-build.nix b/hooks/nix/nix-build.nix
@@ -3,15 +3,12 @@
 pkgs.stdenv.mkDerivation {
   pname = "pre-commit-hooks-nix-build";
   version = "0.1.0";
-  
   src = ./.;
-  
   buildPhase = ''
     echo "Running nix build validation..."
   '';
-  
   installPhase = ''
     mkdir -p $out
     echo "Nix build validation completed" > $out/result.txt
   '';
-}
+}
diff --git a/hooks/nix/publish-to-nixpkgs.sh b/hooks/nix/publish-to-nixpkgs.sh
@@ -7,7 +7,7 @@
 
 nix-build "$@"
 git clone https://github.com/NixOS/nixpkgs
-cd nixpkgs
+cd nixpkgs || exit
 mkdir -p pkgs/by-name/so/some-package
 emacs pkgs/by-name/so/some-package/package.nix
 git add pkgs/by-name/so/some-package/package.nix
diff --git a/hooks/update-vm.sh b/hooks/update-vm.sh
@@ -1,5 +1,5 @@
 #!/usr/bin/env bash
 
-if [ $(uname -n) == "nixos" ]; then
+if [ "$(uname -n)" == "nixos" ]; then
   cp "$GIT_DIR/nixos/WIP/*.nix" /etc/nixos/
 fi
diff --git a/hooks/witness.sh b/hooks/witness.sh
@@ -110,7 +110,7 @@ fi
 if ! command -v witness > /dev/null 2>&1; then
   echo "witness binary not found"
   echo "Downloading witness binary"
-  go install/get github.com/in-toto/witness/cmd/${ARCH:-}/witness@latest
+  go install/get "github.com/in-toto/witness/cmd/${ARCH:-}/witness@latest"
 fi
 if ! command -v yq > /dev/null 2>&1; then
   echo "yq binary not found"
@@ -134,6 +134,10 @@ while getopts ":r:a:s:" opt; do
     a)
       witness_run_args="$OPTARG"
       ;;
+    s)
+      # Step option reserved for future use
+      :
+      ;;
     \?)
       echo "Invalid option -$OPTARG" >&2
       exit 1
@@ -163,8 +167,8 @@ for i in $(yq eval '.verify.attestations[]' .witness.yaml); do
     echo "Attestation file ($i) specified in '.witness.yaml' not found"
     exit 1
   fi
-  witness run --step build -o "$i" -a slsa --attestor-slsa-export -- $witness_run $witness_run_args .
-  cat "$i" | jq -r .payload | base64 -d | jq
+  witness run --step build -o "$i" -a slsa --attestor-slsa-export -- "$witness_run" "$witness_run_args" .
+  jq -r .payload < "$i" | base64 -d | jq
 done
 
 # 5.View Attestation data in the signed DSSE envelope
@@ -213,7 +217,7 @@ fi
 
 # 7. Replace variables in the policy
 id=$(sha256sum testpub.pem | awk '{print $1}') && sed -i "s/{{PUBLIC_KEY_ID}}/$id/g" policy.json
-pubb64=$(cat testpub.pem | base64 -w 0) && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json
+pubb64=$(base64 -w 0 < testpub.pem) && sed -i "s/{{B64_PUBLIC_KEY}}/$pubb64/g" policy.json
 
 # 8. Sign the policy file
 witness sign -f policy.json --signer-file-key-path testkey.pem --outfile policy-signed.json
diff --git a/tests/nix/test_nix_fmt.bats b/tests/nix/test_nix_fmt.bats
@@ -25,12 +25,10 @@ buildInputs=[pkgs.hello];
 EOF
 
   # Mock nixpkgs-fmt
-  mock_command "nixpkgs-fmt" "cat > default.nix << 'FORMATTED'
-{ pkgs }:
+  mock_command "nixpkgs-fmt" "echo '{ pkgs }:
 pkgs.mkShell {
   buildInputs = [ pkgs.hello ];
-}
-FORMATTED"
+}' > \"\$1\""
 
   run "$ORIGINAL_DIR/hooks/nix/nix-fmt.sh"
   [ "$status" -eq 0 ]

Original file line number	Diff line number	Diff line change
`@@ -14,4 +14,4 @@ VOLUME [ "/src:rw,Z" ]`
`14`	`14`
`15`	`15`	ENV GITGUARDIAN_API_KEY `op read op://${OP_VAULT}/${OP_ITEM_NAME}/${OP_ITEM_FIELD}`
`16`	`16`
`17`		`-ENTRYPOINT [ "op run --env='/src/op.env' -- ggshield secret scan pre-commit" ]`
	`17`	`+ENTRYPOINT [ "op run --env='/src/op.env' -- ggshield secret scan pre-commit" ]`