fix

Author: anthony-nhs

Makefile

@@ -85,21 +85,29 @@ build-grant:
 		docker build -f src/base/.devcontainer/Dockerfile.grant --tag local_grant:latest src/base/.devcontainer/; \
 	fi
 
-build-tflint: guard-GITHUB_TOKEN
+build-tflint:
 	@if docker image inspect local_tflint:latest >/dev/null 2>&1; then \
 		echo "Image local_tflint:latest already exists. Skipping build."; \
 	else \
+		if [ -z "$$GITHUB_TOKEN" ]; then \
+			echo "GITHUB_TOKEN environment variable not set. Please set it by running 'make github-login' and setting GITHUB_TOKEN to the value of 'gh auth token'."; \
+			exit 1; \
+		fi; \
 		docker buildx build \
 			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
 			-f src/base/.devcontainer/Dockerfile.tflint \
 			--tag local_tflint:latest \
 			src/base/.devcontainer/; \
 	fi
 
-build-zizmor: guard-GITHUB_TOKEN
+build-zizmor:
 	@if docker image inspect local_zizmor:latest >/dev/null 2>&1; then \
 		echo "Image local_zizmor:latest already exists. Skipping build."; \
 	else \
+		if [ -z "$$GITHUB_TOKEN" ]; then \
+			echo "GITHUB_TOKEN environment variable not set. Please set it by running 'make github-login' and setting GITHUB_TOKEN to the value of 'gh auth token'."; \
+			exit 1; \
+		fi; \
 		docker buildx build \
 			--secret id=GH_TOKEN,env=GITHUB_TOKEN \
 			-f src/base/.devcontainer/Dockerfile.zizmor \

src/base/.devcontainer/.tool-versions

@@ -1,4 +1,3 @@
-shellcheck 0.11.0
 direnv 2.37.1
 actionlint 1.7.12
 ruby 3.3.0

src/base/.devcontainer/Dockerfile

@@ -12,6 +12,7 @@ ARG SAM_VERSION="v1.158.0"
 ARG ASDF_VERSION="v0.18.1"
 ARG GITLEAKS_VERSION="8.30.1"
 ARG CFN_GUARD_VERSION="3.2.0"
+ARG SHELLCHECK_VERSION="v0.11.0"
 
 ENV SCRIPTS_DIR=${SCRIPTS_DIR}
 ENV CONTAINER_NAME=${CONTAINER_NAME}
@@ -20,12 +21,15 @@ ENV SAM_VERSION=${SAM_VERSION}
 ENV ASDF_VERSION=${ASDF_VERSION}
 ENV GITLEAKS_VERSION=${GITLEAKS_VERSION}
 ENV CFN_GUARD_VERSION=${CFN_GUARD_VERSION}
+ENV SHELLCHECK_VERSION=${SHELLCHECK_VERSION}
+
 COPY --chmod=755 scripts/lifecycle/*.sh ${SCRIPTS_DIR}/
 COPY --chmod=755 scripts/root_install.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/root_install.sh
 COPY --chmod=755 scripts/install_aws_sam_cli.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_aws_sam_cli.sh
 COPY --chmod=755 scripts/install_asdf.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_asdf.sh
 COPY --chmod=755 scripts/install_gitleaks.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_gitleaks.sh
 COPY --chmod=755 scripts/install_cfn_guard.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_cfn_guard.sh
+COPY --chmod=755 scripts/install_shellcheck.sh ${SCRIPTS_DIR}/${CONTAINER_NAME}/install_shellcheck.sh
 COPY --chmod=755 Mk ${SCRIPTS_DIR}/Mk
 
 WORKDIR ${SCRIPTS_DIR}/${CONTAINER_NAME}

src/base/.devcontainer/scripts/install_shellcheck.sh

@@ -0,0 +1,57 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+VERSION=${VERSION:-"v0.11.0"}
+# Expected SHA256 checksums taken from https://github.com/koalaman/shellcheck/releases/tag/v0.11.0
+# When we change shellcheck versions, these must be changed
+sha256sum_expected_arm="sha256:68a8133197a50beb8803f8d42f9908d1af1c5540d4bb05fdfca8c1fa47decefc"
+sha256sum_expected_amd64="sha256:b7af85e41cc99489dcc21d66c6d5f3685138f06d34651e6d34b42ec6d54fe6f6"
+
+if [ "$(id -u)" -ne 0 ]; then
+    echo -e 'Script must be run as root. Use sudo, su, or add "USER root" to your Dockerfile before running this script.'
+    exit 1
+fi
+
+# Checks if packages are installed and installs them if not
+check_packages() {
+    if ! dpkg -s "$@" > /dev/null 2>&1; then
+        sudo apt-get -y install --no-install-recommends "$@"
+    fi
+}
+
+check_packages curl ca-certificates tar
+
+install() {
+    tmp_dir="$(mktemp -d)"
+    trap 'rm -rf "${tmp_dir}"' EXIT
+
+    download_file="${tmp_dir}/shellcheck.tar.gz"
+
+    if [ "$TARGETARCH" = "arm64" ] || [ "$TARGETARCH" == "aarch64" ]; then
+        download_url="https://github.com/koalaman/shellcheck/releases/download/${VERSION}/shellcheck-${VERSION}.linux.aarch64.tar.xz"
+        sha256sum_expected="${sha256sum_expected_arm}"
+    else
+        download_url="https://github.com/koalaman/shellcheck/releases/download/${VERSION}/shellcheck-${VERSION}.linux.x86_64.tar.gz"
+        sha256sum_expected="${sha256sum_expected_amd64}"
+    fi
+    echo "Downloading shellcheck from ${download_url}..."
+    curl -fsSL "${download_url}" -o "${download_file}"
+
+    download_file_sha256sum=$(sha256sum "${download_file}" | awk '{print $1}')
+    if [ "${download_file_sha256sum}" != "${sha256sum_expected#sha256:}" ]; then
+        echo "SHA256 checksum mismatch for downloaded shellcheck archive"
+        echo "Expected: ${sha256sum_expected}"
+        echo "Actual:   sha256:${download_file_sha256sum}"
+        exit 1
+    fi
+
+    tar -xzf "${download_file}" -C "${tmp_dir}"
+    mkdir -p /usr/bin
+    mv "${tmp_dir}/shellcheck-${VERSION}/shellcheck" /usr/bin/shellcheck
+    chmod +x /usr/bin/shellcheck
+}
+echo "(*) Installing shellcheck..."
+
+install
+
+echo "Done!"

src/base/.devcontainer/scripts/root_install.sh

@@ -38,6 +38,8 @@ VERSION="${SAM_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_aws_sam_cli.s
 VERSION="${ASDF_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_asdf.sh"
 # install gitleaks
 VERSION="${GITLEAKS_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_gitleaks.sh"
+# install shellcheck
+VERSION="${SHELLCHECK_VERSION}" "${SCRIPTS_DIR}/${CONTAINER_NAME}/install_shellcheck.sh"
 
 # install gitsecrets
 # this should be removed once we have migrated all repos to gitleaks

src/base/.devcontainer/scripts/vscode_install.sh

@@ -12,7 +12,6 @@ echo 'export GEM_HOME="$HOME/gems"' >> ~/.bashrc
 echo 'export PATH="$HOME/gems/bin:$PATH"' >> ~/.bashrc
 
 # Install ASDF plugins
-asdf plugin add shellcheck https://github.com/luizm/asdf-shellcheck.git
 asdf plugin add direnv
 asdf plugin add actionlint
 asdf plugin add ruby https://github.com/asdf-vm/asdf-ruby.git