From 0c00b56aeea201d7ffdcc0b2c86b4d8e56c6e60a Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 26 May 2026 19:59:16 +1000 Subject: [PATCH 1/2] ci: clean up workflow shellcheck nits actionlint (rhysd/actionlint) reported a handful of shellcheck-class issues across the GitHub Actions workflows. All are 1-line mechanical fixes: * Replace legacy backticks in --rsync-bin=`pwd`/rsync with --rsync-bin="$PWD/rsync" (SC2006 + SC2046; almalinux-8-build, macos-build, ubuntu-22.04-build, ubuntu-build). * Quote >>$GITHUB_PATH redirects as >>"$GITHUB_PATH" (SC2086; coverage, macos-build, ubuntu-22.04-build, ubuntu-build). After this commit `actionlint .github/workflows/*.yml` exits 0. (Also cleaned up 6 editor backup *.yml~ files from the local working tree; those weren't tracked -- *~ is gitignored -- so the cleanup is local-only and not part of this commit.) Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/almalinux-8-build.yml | 2 +- .github/workflows/coverage.yml | 2 +- .github/workflows/macos-build.yml | 4 ++-- .github/workflows/ubuntu-22.04-build.yml | 4 ++-- .github/workflows/ubuntu-build.yml | 4 ++-- 5 files changed, 8 insertions(+), 8 deletions(-) diff --git a/.github/workflows/almalinux-8-build.yml b/.github/workflows/almalinux-8-build.yml index 3eb96f9ac..e633153cd 100644 --- a/.github/workflows/almalinux-8-build.yml +++ b/.github/workflows/almalinux-8-build.yml @@ -65,7 +65,7 @@ jobs: run: RSYNC_EXPECT_SKIPPED=crtimes,daemon-access-ip,daemon-chroot-acl,proxy-response-line-too-long make check - name: check (TCP daemon transport) # Second run exercising the real loopback-TCP daemon path. - run: ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8 + run: ./runtests.py --rsync-bin="$PWD/rsync" --use-tcp -j 8 - name: ssl file list run: ./rsync-ssl --no-motd download.samba.org::rsyncftp/ || true - name: save artifact diff --git a/.github/workflows/coverage.yml b/.github/workflows/coverage.yml index 71d9f37fd..7c070db70 100644 --- a/.github/workflows/coverage.yml +++ b/.github/workflows/coverage.yml @@ -27,7 +27,7 @@ jobs: run: | sudo apt-get update sudo apt-get install -y acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl gcovr - echo "/usr/local/bin" >>$GITHUB_PATH + echo "/usr/local/bin" >>"$GITHUB_PATH" - name: configure run: ./configure --enable-coverage --with-rrsync - name: make diff --git a/.github/workflows/macos-build.yml b/.github/workflows/macos-build.yml index 6af741fd3..0653a6036 100644 --- a/.github/workflows/macos-build.yml +++ b/.github/workflows/macos-build.yml @@ -26,7 +26,7 @@ jobs: run: | brew install automake openssl xxhash zstd lz4 pip3 install --user --break-system-packages commonmark - echo "$(brew --prefix)/bin" >>$GITHUB_PATH + echo "$(brew --prefix)/bin" >>"$GITHUB_PATH" - name: configure run: | BREW_PREFIX=$(brew --prefix) @@ -48,7 +48,7 @@ jobs: - name: check (TCP daemon transport) # Second run with daemon tests over a real loopback rsyncd; the default # 'make check' above uses the secure stdio-pipe transport. - run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8 + run: sudo ./runtests.py --rsync-bin="$PWD/rsync" --use-tcp -j 8 - name: ssl file list run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true - name: save artifact diff --git a/.github/workflows/ubuntu-22.04-build.yml b/.github/workflows/ubuntu-22.04-build.yml index 3cf271e55..19f9cc037 100644 --- a/.github/workflows/ubuntu-22.04-build.yml +++ b/.github/workflows/ubuntu-22.04-build.yml @@ -29,7 +29,7 @@ jobs: - name: prep run: | sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl - echo "/usr/local/bin" >>$GITHUB_PATH + echo "/usr/local/bin" >>"$GITHUB_PATH" - name: configure run: ./configure --with-rrsync - name: make @@ -47,7 +47,7 @@ jobs: - name: check (TCP daemon transport) # Second run with daemon tests over a real loopback rsyncd; the default # 'make check' above uses the secure stdio-pipe transport. - run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8 + run: sudo ./runtests.py --rsync-bin="$PWD/rsync" --use-tcp -j 8 - name: ssl file list run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true - name: save artifact diff --git a/.github/workflows/ubuntu-build.yml b/.github/workflows/ubuntu-build.yml index 47312f0a8..b3e67d0ac 100644 --- a/.github/workflows/ubuntu-build.yml +++ b/.github/workflows/ubuntu-build.yml @@ -25,7 +25,7 @@ jobs: - name: prep run: | sudo apt-get install acl libacl1-dev attr libattr1-dev liblz4-dev libzstd-dev libxxhash-dev python3-cmarkgfm openssl - echo "/usr/local/bin" >>$GITHUB_PATH + echo "/usr/local/bin" >>"$GITHUB_PATH" - name: configure run: ./configure --with-rrsync - name: make @@ -45,7 +45,7 @@ jobs: # 'make check' above uses the secure stdio-pipe transport (no listening # sockets); this run exercises the real TCP accept/auth path. Skip-set # is env-dependent here (chroot-acl), so leave RSYNC_EXPECT_SKIPPED unset. - run: sudo ./runtests.py --rsync-bin=`pwd`/rsync --use-tcp -j 8 + run: sudo ./runtests.py --rsync-bin="$PWD/rsync" --use-tcp -j 8 - name: ssl file list run: rsync-ssl --no-motd download.samba.org::rsyncftp/ || true - name: save artifact From 45d81fc841b927e22adcec2d639a0f4089ce716f Mon Sep 17 00:00:00 2001 From: Andrew Tridgell Date: Tue, 26 May 2026 20:02:52 +1000 Subject: [PATCH 2/2] ci: add actionlint workflow to lint GitHub Actions YAML Adds .github/workflows/actionlint.yml which runs rhysd/actionlint over .github/workflows/*.yml on push and PR to master. Triggers only when something in .github/workflows/ (or the actionlint config) changes, so the rest of the platform matrix isn't billed when nothing here moves. The job downloads a pinned actionlint binary (1.7.12) via the upstream download script (which verifies a SHA256) -- no third-party Action dependency, matching the inline-install style of the existing ubuntu/macos/cygwin workflows. Bump the pinned version deliberately. actionlint catches a) GitHub Actions expression / type errors, b) unsupported runner images, c) missing secrets / inputs, and d) the embedded shellcheck class of issues in 'run:' scripts that the previous commit cleaned up. Keeping it in CI prevents regressions. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/actionlint.yml | 43 ++++++++++++++++++++++++++++++++ 1 file changed, 43 insertions(+) create mode 100644 .github/workflows/actionlint.yml diff --git a/.github/workflows/actionlint.yml b/.github/workflows/actionlint.yml new file mode 100644 index 000000000..0e81e9174 --- /dev/null +++ b/.github/workflows/actionlint.yml @@ -0,0 +1,43 @@ +name: Lint GitHub Actions workflows + +# Static-check the workflow YAML with rhysd/actionlint. Catches missing +# secrets, bad expressions, expression-type errors, unsupported runner +# images, and (via embedded shellcheck) common pitfalls in `run:` scripts. +# Trigger only on changes under .github/workflows/ so the rest of the +# matrix isn't billed when nothing here moves. + +on: + push: + branches: [ master ] + paths: + - '.github/workflows/*.yml' + - '.github/actionlint.yaml' + - '.github/actionlint.yml' + pull_request: + branches: [ master ] + paths: + - '.github/workflows/*.yml' + - '.github/actionlint.yaml' + - '.github/actionlint.yml' + +permissions: + contents: read + +jobs: + actionlint: + runs-on: ubuntu-latest + name: actionlint + steps: + - uses: actions/checkout@v4 + - name: install actionlint + # Pin a version so this job is reproducible; bump deliberately. + # The download script verifies a SHA256 of the release tarball. + run: | + bash <(curl --proto '=https' --tlsv1.2 -fsSL \ + https://raw.githubusercontent.com/rhysd/actionlint/main/scripts/download-actionlint.bash) \ + 1.7.12 + echo "$PWD" >>"$GITHUB_PATH" + - name: actionlint --version + run: actionlint -version + - name: actionlint .github/workflows/*.yml + run: actionlint -color