From 08898ad9f0cb1714dba7a114c5a7a5ca48353fa7 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Thu, 4 Jun 2026 15:50:19 +0200 Subject: [PATCH 1/3] #76 might have dropped y-kubeconfig-import prematurely --- bin/y-kubeconfig-import | 20 ++++++++++++++++++++ 1 file changed, 20 insertions(+) create mode 100755 bin/y-kubeconfig-import diff --git a/bin/y-kubeconfig-import b/bin/y-kubeconfig-import new file mode 100755 index 00000000..6dc2a94c --- /dev/null +++ b/bin/y-kubeconfig-import @@ -0,0 +1,20 @@ +#!/usr/bin/env bash +[ -z "$DEBUG" ] || set -x +set -eo pipefail + +[ -z "$1" ] && echo "First arg should be the path to a _temporary_ kubeconfig file" && exit 1 + +CONFTEMP="$1" + +[ ! -f "$CONFTEMP" ] && echo "Temporary file $CONFTEMP not found. No import performed." && exit 1 + +[ -z "$KUBECONFIG" ] && echo "This script requires a KUBECONFIG env. Aborting merge." && exit 1 + +if [ -f "$KUBECONFIG" ]; then + echo "Target kubeconfig $KUBECONFIG already exists. Merging." + KUBECONFIG="$CONFTEMP:$KUBECONFIG" kubectl config view --flatten > "$CONFTEMP-merged" + mv "$CONFTEMP-merged" "$CONFTEMP" +else + echo "Target kubeconfig $KUBECONFIG doesn't exist. Importing temp as is." +fi +mv "$CONFTEMP" "$KUBECONFIG" From 437d76edd9c60df710505fb2d8b61bbce2614bb7 Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Fri, 5 Jun 2026 10:02:56 +0200 Subject: [PATCH 2/3] y-kubeconfig-import: set -u and guard unset reads; document current-context flip Co-Authored-By: Claude Opus 4.8 (1M context) --- bin/y-kubeconfig-import | 10 ++++++---- 1 file changed, 6 insertions(+), 4 deletions(-) diff --git a/bin/y-kubeconfig-import b/bin/y-kubeconfig-import index 6dc2a94c..e0d45efb 100755 --- a/bin/y-kubeconfig-import +++ b/bin/y-kubeconfig-import @@ -1,17 +1,19 @@ #!/usr/bin/env bash -[ -z "$DEBUG" ] || set -x -set -eo pipefail +[ -z "${DEBUG:-}" ] || set -x +set -euo pipefail -[ -z "$1" ] && echo "First arg should be the path to a _temporary_ kubeconfig file" && exit 1 +[ -z "${1:-}" ] && echo "First arg should be the path to a _temporary_ kubeconfig file" && exit 1 CONFTEMP="$1" [ ! -f "$CONFTEMP" ] && echo "Temporary file $CONFTEMP not found. No import performed." && exit 1 -[ -z "$KUBECONFIG" ] && echo "This script requires a KUBECONFIG env. Aborting merge." && exit 1 +[ -z "${KUBECONFIG:-}" ] && echo "This script requires a KUBECONFIG env. Aborting merge." && exit 1 if [ -f "$KUBECONFIG" ]; then echo "Target kubeconfig $KUBECONFIG already exists. Merging." + # note: current-context becomes whatever CONFTEMP set, because CONFTEMP is listed + # first in KUBECONFIG and --flatten preserves the merged current-context. KUBECONFIG="$CONFTEMP:$KUBECONFIG" kubectl config view --flatten > "$CONFTEMP-merged" mv "$CONFTEMP-merged" "$CONFTEMP" else From 8ec23a0fd243ac57abf98c95b4db0a9cf280392d Mon Sep 17 00:00:00 2001 From: Staffan Olsson Date: Fri, 5 Jun 2026 10:15:45 +0200 Subject: [PATCH 3/3] y-script-lint: accept set -u-safe ${DEBUG:-} guard in DEBUG check The DEBUG pattern check only matched the literal [ -z "$DEBUG" ] form, so adding set -u (which requires the ${DEBUG:-} guard) flipped the debug check true->false and was reported as a degradation. Accept both forms. Document the guarded form in Y_SCRIPT_AUTHORING.md. ${DEBUG:-} is valid in plain bash/sh and POSIX, so make it the canonical DEBUG-trace form; the bare $DEBUG form stays tolerated by y-script-lint. Co-Authored-By: Claude Opus 4.8 (1M context) --- Y_SCRIPT_AUTHORING.md | 8 ++++---- bin/y-script-lint | 2 +- 2 files changed, 5 insertions(+), 5 deletions(-) diff --git a/Y_SCRIPT_AUTHORING.md b/Y_SCRIPT_AUTHORING.md index d6a3612a..facee91f 100644 --- a/Y_SCRIPT_AUTHORING.md +++ b/Y_SCRIPT_AUTHORING.md @@ -39,7 +39,7 @@ esac ```bash #!/usr/bin/env bash -[ -z "$DEBUG" ] || set -x +[ -z "${DEBUG:-}" ] || set -x set -eo pipefail YHELP='y-example - Bump image tags in kustomization files @@ -123,7 +123,7 @@ if (process.argv[2] === 'help' || process.argv[2] === '--help') { |-------|-------------|-------|---------|-------------| | Shebang | FAIL | `#!/usr/bin/env bash` or `#!/bin/sh` | `#!/usr/bin/env node` or `*-strip-types` | First line | | `set -eo pipefail` | FAIL | Required | n/a | Second or third line | -| DEBUG pattern | WARN | `[ -z "$DEBUG" ] \|\| set -x` | n/a | Second line | +| DEBUG pattern | WARN | `[ -z "${DEBUG:-}" ] \|\| set -x` (bare `$DEBUG` also tolerated) | n/a | Second line | | Help handler | WARN | `"$1" = "help"` in case/if | `process.argv` includes `help` | See templates above | | No `npx` | FAIL | Not in non-comment lines | Not in non-comment lines | Use project deps | | No `eval` | FAIL | Not in non-comment lines | No `eval(` calls | Avoid eval | @@ -212,7 +212,7 @@ Every shell script must start with a shebang and standard preamble: ```bash #!/usr/bin/env bash -[ -z "$DEBUG" ] || set -x +[ -z "${DEBUG:-}" ] || set -x set -eo pipefail ``` @@ -295,7 +295,7 @@ Validate required arguments early with clear error messages: - Document all env vars in help text - Provide sensible defaults: `[ -z "$REGISTRY" ] && REGISTRY="docker.io"` -- Use `DEBUG` for `set -x` tracing (convention: `[ -z "$DEBUG" ] || set -x`) +- Use `DEBUG` for `set -x` tracing (convention: `[ -z "${DEBUG:-}" ] || set -x`; the guard keeps it safe under `set -u`) - Never require secrets as positional args; use env vars or files ## Shell Practices diff --git a/bin/y-script-lint b/bin/y-script-lint index df03238a..eaa9a7f5 100755 --- a/bin/y-script-lint +++ b/bin/y-script-lint @@ -141,7 +141,7 @@ is_node() { [ "$1" = "node" ] || [ "$1" = "typescript" ]; } # --- Static checks --- check_header_pipefail() { grep -qE '^set -e(u?o pipefail)?$' "$1" 2>/dev/null; } -check_header_debug() { grep -qE '^\[ -z "\$DEBUG" \] \|\| set -x' "$1" 2>/dev/null; } +check_header_debug() { grep -qE '^\[ -z "\$(DEBUG|\{DEBUG:-\})" \] \|\| set -x' "$1" 2>/dev/null; } check_help_handler() { local file="$1" lang="$2"