Add ShellCheck GitHub Actions workflow

[sebrandon1]

Summary

• Add a make test-shellcheck target and hack/test-shellcheck.sh wrapper script following the same pattern as make test-kustomize / hack/test-kustomize.sh
• Add a GitHub Actions workflow that calls make test-shellcheck when PRs touch shell scripts or the Makefile
• Add shellcheck to the make check-deps dependency verification
• Fix 2 existing ShellCheck errors (SC2145: $@ in echo strings changed to $*) in extra-manifests-builder test scripts
• Runs at severity=error to catch real bugs without blocking on style warnings

The repo has 32 shell scripts across hack/, extra-manifests-builder/, compare utilities, and configuration scripts. Users can now validate scripts locally with make test-shellcheck before pushing.

[openshift-ci]

[APPROVALNOTIFIER] This PR is NOT APPROVED

This pull-request has been approved by: sebrandon1
Once this PR has been reviewed and has the lgtm label, please assign irinamihai for approval. For more information see the Code Review Process.

The full list of commands accepted by this bot can be found here.

Details

Needs approval from an approver in each of these files:

• OWNERS

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[coderabbitai]

Warning

Review limit reached

@sebrandon1, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 48 minutes and 4 seconds. Learn how PR review limits work.

Your organization has used up its prepaid credits, and credit purchases are no longer available. Enable the review add-on in the billing tab to keep reviews running — you're only billed for reviews past your plan's rate limits ($0.25/file).

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

To avoid repeated limits, reduce automatic review volume by pausing incremental auto-reviews earlier, using label-based review opt-in, excluding WIP or generated PR titles, or requesting reviews manually when the PR is ready. If your team needs uninterrupted high-volume reviews, an organization admin can enable usage-based credits.

🚦 How do rate limits work?

CodeRabbit enforces per-developer PR review limits for each organization. Most developers receive the normal plan refill rate.

For paid Pro and Pro+ PR reviews, CodeRabbit uses adaptive limits for sustained high-volume activity. When a developer's recent PR review activity reaches the 95th percentile or higher among CodeRabbit users, the refill rate gradually slows as usage increases. The highest same-day bursts are limited more strictly.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 06540d52-238b-4e5e-8b10-da89f3fce244

📥 Commits

Reviewing files that changed from the base of the PR and between 49f17fd and 3bed570.

📒 Files selected for processing (5)

• .github/workflows/shellcheck.yml
• Makefile
• hack/test-shellcheck.sh
• telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/test.sh
• telco-ran/configuration/extra-manifests-builder/08-set-rcu-normal/test.sh

📝 Walkthrough

Walkthrough

A ShellCheck linting pipeline is added: a new hack/test-shellcheck.sh runner script discovers and lints all shell scripts with directory exclusions, a test-shellcheck Makefile target invokes it, check-deps gains a shellcheck presence check, and a GitHub Actions workflow runs the target on PRs. Two existing test.sh scripts are fixed to pass the linter by changing $@ to $* in their fatal() helpers.

Changes

ShellCheck Linting Infrastructure

Layer / File(s)	Summary
ShellCheck runner script, Makefile targets, and CI workflow hack/test-shellcheck.sh, Makefile, .github/workflows/shellcheck.yml	hack/test-shellcheck.sh discovers all *.sh files (excluding .git/, venv/, .venv/, sdk-go/), runs shellcheck --severity=error on each, and exits 1 on any failure. The Makefile adds a shellcheck presence check in check-deps and a test-shellcheck phony target. The GitHub Actions workflow triggers on PRs touching **/*.sh or Makefile and runs make test-shellcheck on ubuntu-latest.
Fix fatal() argument expansion in existing test scripts telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/test.sh, telco-ran/configuration/extra-manifests-builder/08-set-rcu-normal/test.sh	The fatal() helper in both scripts is updated from "$@" to "$*" so multiple arguments are concatenated in the FATAL: output and the scripts pass ShellCheck.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

🚥 Pre-merge checks | ✅ 5

✅ Passed checks (5 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately summarizes the main change: adding a ShellCheck GitHub Actions workflow. It is concise, specific, and directly reflects the primary purpose of the pull request.
Description check	✅ Passed	The description clearly details all major changes in the PR including the new workflow, Makefile target, test wrapper script, dependency check, and existing bug fixes. It provides meaningful context about the changeset.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[irinamihai]

It looks like there is no way for users to run the shellcheck locally, before pushing their changes.
I think the model under the kustomization validation workflow should be followed where there's a makefile target for the shellcheck and the workflow calls it. WDYT?

Also, shellcheck should be a verified dependency under the check-deps target if it's gonna be available to run locally.

[sebrandon1]

Ah yes good call I will update it to match the same flow as the kustomization workflow.

[coderabbitai]

Actionable comments posted: 1

🤖 Prompt for all review comments with AI agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

Inline comments:
In @.github/workflows/shellcheck.yml:
- Around line 20-21: The actions/checkout action is not pinned to a specific
commit SHA, creating a supply-chain risk. Replace the version tag reference
(currently `@v4`) in the uses field with a pinned commit SHA. Additionally,
explicitly disable credential persistence by adding a with section to the
checkout action with persist-credentials: false. This change should be applied
to all instances of the actions/checkout action across the workflow files
(shellcheck.yml, kustomize-validation.yml, and doc-updater.yml).

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Enterprise

Run ID: 83072a75-c21c-4a99-b1f7-322a35576cd9

📥 Commits

Reviewing files that changed from the base of the PR and between 8b0e015 and 49f17fd.

📒 Files selected for processing (5)

• .github/workflows/shellcheck.yml
• Makefile
• hack/test-shellcheck.sh
• telco-ran/configuration/extra-manifests-builder/01-container-mount-ns-and-kubelet-conf/test.sh
• telco-ran/configuration/extra-manifests-builder/08-set-rcu-normal/test.sh

[coderabbitai]

🔒 Security & Privacy | 🟠 Major

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Verify workflow action pinning and checkout credential persistence settings.
rg -n --type=yaml 'uses:\s*actions/checkout@' .github/workflows
rg -n --type=yaml 'persist-credentials:\s*false' .github/workflows

Repository: openshift-kni/telco-reference

Length of output: 388

---

Pin actions/checkout to a commit SHA and disable credential persistence.

actions/checkout@v4 is not pinned to a commit SHA, creating a supply-chain risk. Additionally, persist-credentials: false should be explicitly set unless authenticated git writes are required. This applies to all checkout actions in the workflows (also found in kustomize-validation.yml and doc-updater.yml).

Suggested hardening

       - name: Checkout repository
-        uses: actions/checkout@v4
+        uses: actions/checkout@<pinned_commit_sha>
+        with:
+          persist-credentials: false

🧰 Tools

🪛 zizmor (1.26.1)

[warning] 20-21: credential persistence through GitHub Actions artifacts (artipacked): does not set persist-credentials: false

(artipacked)

---

[error] 21-21: unpinned action reference (unpinned-uses): action is not pinned to a hash (required by blanket policy)

(unpinned-uses)

🤖 Prompt for AI Agents

Verify each finding against current code. Fix only still-valid issues, skip the
rest with a brief reason, keep changes minimal, and validate.

In @.github/workflows/shellcheck.yml around lines 20 - 21, The actions/checkout
action is not pinned to a specific commit SHA, creating a supply-chain risk.
Replace the version tag reference (currently `@v4`) in the uses field with a
pinned commit SHA. Additionally, explicitly disable credential persistence by
adding a with section to the checkout action with persist-credentials: false.
This change should be applied to all instances of the actions/checkout action
across the workflow files (shellcheck.yml, kustomize-validation.yml, and
doc-updater.yml).

Source: Linters/SAST tools

[irinamihai]

@sebrandon1 , could you kindly address this?

[coderabbitai]

Seems like the humans are having a chat. I'll hop back into my burrow for now. If you need me again, just tag @coderabbitai in a new comment, and I'll come hopping out!