From a53a2c90d9534a67db7fad1d11594d1645cabc2a Mon Sep 17 00:00:00 2001 From: Kamil Dudka Date: Thu, 12 Dec 2024 12:22:57 +0100 Subject: [PATCH] buildah: fix Checkton/ShellCheck findings They cause the CI to be red on tasks derived from the buildah task. Related: https://github.com/konflux-ci/build-definitions/pull/1653 --- task/buildah-oci-ta/0.2/buildah-oci-ta.yaml | 16 ++++++++-------- task/buildah/0.2/buildah.yaml | 16 ++++++++-------- 2 files changed, 16 insertions(+), 16 deletions(-) diff --git a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml index 65f9cdd091..bf89461332 100644 --- a/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml +++ b/task/buildah-oci-ta/0.2/buildah-oci-ta.yaml @@ -273,14 +273,14 @@ spec: echo "Fetch Dockerfile from $DOCKERFILE" dockerfile_path=$(mktemp --suffix=-Dockerfile) http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE") - if [ $http_code != 200 ]; then + if [ "$http_code" != 200 ]; then echo "No Dockerfile is fetched. Server responds $http_code" exit 1 fi http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore") - if [ $http_code = 200 ]; then + if [ "$http_code" = 200 ]; then echo "Fetched .dockerignore from $DOCKERFILE.dockerignore" - mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore + mv "$dockerfile_path.dockerignore.tmp" "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" fi else echo "Cannot find Dockerfile $DOCKERFILE" @@ -361,7 +361,7 @@ spec: UNSHARE_ARGS+=("--net") for image in $BASE_IMAGES; do - unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull "$image" done echo "Build will be executed with network isolation" fi @@ -408,14 +408,14 @@ spec: # if yum repofiles stored in git, copy them to mount point outside the source dir if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then - mkdir -p ${YUM_REPOS_D_FETCHED} + mkdir -p "${YUM_REPOS_D_FETCHED}" cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED} fi # if anything in the repofiles mount point (either fetched or from git), mount it if [ -d "${YUM_REPOS_D_FETCHED}" ]; then - chmod -R go+rwX ${YUM_REPOS_D_FETCHED} - mount_point=$(realpath ${YUM_REPOS_D_FETCHED}) + chmod -R go+rwX "${YUM_REPOS_D_FETCHED}" + mount_point=$(realpath "${YUM_REPOS_D_FETCHED}") VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}") fi @@ -518,7 +518,7 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path + buildah mount "$container" | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete echo $container >/shared/container_name diff --git a/task/buildah/0.2/buildah.yaml b/task/buildah/0.2/buildah.yaml index 53c0896edf..2406613d88 100644 --- a/task/buildah/0.2/buildah.yaml +++ b/task/buildah/0.2/buildah.yaml @@ -210,14 +210,14 @@ spec: echo "Fetch Dockerfile from $DOCKERFILE" dockerfile_path=$(mktemp --suffix=-Dockerfile) http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path" "$DOCKERFILE") - if [ $http_code != 200 ]; then + if [ "$http_code" != 200 ]; then echo "No Dockerfile is fetched. Server responds $http_code" exit 1 fi http_code=$(curl -s -S -L -w "%{http_code}" --output "$dockerfile_path.dockerignore.tmp" "$DOCKERFILE.dockerignore") - if [ $http_code = 200 ]; then + if [ "$http_code" = 200 ]; then echo "Fetched .dockerignore from $DOCKERFILE.dockerignore" - mv "$dockerfile_path.dockerignore.tmp" $SOURCE_CODE_DIR/$CONTEXT/.dockerignore + mv "$dockerfile_path.dockerignore.tmp" "$SOURCE_CODE_DIR/$CONTEXT/.dockerignore" fi else echo "Cannot find Dockerfile $DOCKERFILE" @@ -293,7 +293,7 @@ spec: UNSHARE_ARGS+=("--net") for image in $BASE_IMAGES; do - unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull $image + unshare -Ufp --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -- buildah pull "$image" done echo "Build will be executed with network isolation" fi @@ -340,14 +340,14 @@ spec: # if yum repofiles stored in git, copy them to mount point outside the source dir if [ -d "${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}" ]; then - mkdir -p ${YUM_REPOS_D_FETCHED} + mkdir -p "${YUM_REPOS_D_FETCHED}" cp -r ${SOURCE_CODE_DIR}/${YUM_REPOS_D_SRC}/* ${YUM_REPOS_D_FETCHED} fi # if anything in the repofiles mount point (either fetched or from git), mount it if [ -d "${YUM_REPOS_D_FETCHED}" ]; then - chmod -R go+rwX ${YUM_REPOS_D_FETCHED} - mount_point=$(realpath ${YUM_REPOS_D_FETCHED}) + chmod -R go+rwX "${YUM_REPOS_D_FETCHED}" + mount_point=$(realpath "${YUM_REPOS_D_FETCHED}") VOLUME_MOUNTS+=(--volume "${mount_point}:${YUM_REPOS_D_TARGET}") fi @@ -452,7 +452,7 @@ spec: unshare -Uf "${UNSHARE_ARGS[@]}" --keep-caps -r --map-users 1,1,65536 --map-groups 1,1,65536 -w "${SOURCE_CODE_DIR}/$CONTEXT" -- sh -c "$command" container=$(buildah from --pull-never "$IMAGE") - buildah mount $container | tee /shared/container_path + buildah mount "$container" | tee /shared/container_path # delete symlinks - they may point outside the container rootfs, messing with SBOM scanners find $(cat /shared/container_path) -xtype l -delete echo $container > /shared/container_name