Skip to content

feat: enhance CI/CD with linting, security scanning, and testing #116

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Open
fumiya-kume wants to merge 2 commits into
base: master
Choose a base branch
from
Open

feat: enhance CI/CD with linting, security scanning, and testing #116

Show file tree
Hide file tree
Changes from all commits
Commits
Show all changes
2 commits
Select commit Hold shift + click to select a range
d1a52a0
feat: enhance CI/CD with linting, security scanning, and testing
fumiya-kume Dec 30, 2025
951ff14
style: auto-format shell scripts with shfmt
fumiya-kume Dec 30, 2025
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
35 changes: 0 additions & 35 deletions .github/workflows/e2e_test.yml
View file
Open in desktop

This file was deleted.

45 changes: 45 additions & 0 deletions .github/workflows/lint.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,45 @@
name: Lint

on:
push:
branches: [master]
pull_request:
branches: [master]

jobs:
shellcheck:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- name: ShellCheck
uses: luizm/action-sh-checker@master
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
SHFMT_OPTS: -i 2 -ci
with:
sh_checker_comment: true
sh_checker_exclude: ".git"

shfmt:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
ref: ${{ github.head_ref }}
token: ${{ secrets.GITHUB_TOKEN }}
- name: Setup shfmt
run: |
curl -sS https://webinstall.dev/shfmt | bash
echo "$HOME/.local/bin" >> $GITHUB_PATH
- name: Run shfmt
run: shfmt -i 2 -ci -w .
- name: Commit changes
uses: stefanzweifel/git-auto-commit-action@v5
with:
commit_message: "style: auto-format shell scripts with shfmt"
Comment on lines +26 to +39
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

フォークからのPRでは auto-commit が失敗します。

shfmt ジョブは変更を自動コミットしますが、フォークからのPRではリポジトリへの書き込み権限がないため失敗します。また、ref: ${{ github.head_ref }} は push イベントでは空になる可能性があります。

以下の対応を検討してください:

  • フォーマットチェックのみ行い、失敗時はローカルでの修正を促すか、
  • pull_request_target を使用するか、
  • 条件分岐で push イベントのみ auto-commit を有効にする
🤖 Prompt for AI Agents 
In .github/workflows/lint.yml around lines 26-39, the workflow auto-commits
shfmt changes which fails for forked PRs (no write permission) and using ref:
${{ github.head_ref }} can be empty on push events; update the job to avoid
automatic commits on forked PRs by either (a) change the workflow to only run
shfmt as a check (fail CI on diffs and instruct contributors to run shfmt
locally), (b) or guard the Commit changes step to run only when the event is
push and a writable token is available (e.g., check github.event_name == 'push'
and secrets.GITHUB_TOKEN present), or (c) switch to pull_request_target with
explicit safety review if you need write access; also make the checkout ref
logic robust by falling back to github.ref when github.head_ref is empty. Ensure
you remove or conditionalize the git-auto-commit step so forked PRs no longer
attempt to push.


yamllint:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
- uses: frenck/action-yamllint@v1
Comment on lines +44 to +45
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

actions/checkout@v6 を修正し、yamllint アクションのバージョンを確認してください。

Line 44 の actions/checkout@v6 も同様に v4 に修正が必要です。

🤖 Prompt for AI Agents 
.github/workflows/lint.yml around lines 44 to 45: the workflow uses
actions/checkout@v6 which should be downgraded to actions/checkout@v4 and you
should verify the frenck/action-yamllint@v1 version is correct; update the
checkout step to use actions/checkout@v4 and confirm or pin the yamllint action
to the intended stable version (adjust the version tag if necessary).

18 changes: 18 additions & 0 deletions .github/workflows/security.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,18 @@
name: Security

on:
push:
branches: [master]
pull_request:
branches: [master]

jobs:
gitleaks:
runs-on: ubuntu-latest
steps:
- uses: actions/checkout@v6
with:
fetch-depth: 0
- uses: gitleaks/gitleaks-action@v2
env:
GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
19 changes: 19 additions & 0 deletions .github/workflows/test.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,19 @@
name: Test

on:
push:
branches: [master]
pull_request:
branches: [master]

jobs:
e2e:
runs-on: macos-latest
steps:
- uses: actions/checkout@v6
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🔴 Critical

actions/checkout@v6 を v4 に修正してください。

他のワークフローと同様に修正が必要です。

🔎 修正案 
-      - uses: actions/checkout@v6
+      - uses: actions/checkout@v4
📝 Committable suggestion

‼️ IMPORTANT
Carefully review the code before committing. Ensure that it accurately replaces the highlighted code, contains no missing lines, and has no issues with indentation. Thoroughly test & benchmark the code to ensure it meets the requirements.

Suggested change
- uses: actions/checkout@v6
- uses: actions/checkout@v4
🤖 Prompt for AI Agents 
In .github/workflows/test.yml around line 13, the workflow references
actions/checkout@v6 but should be using v4 to match other workflows; update the
checkout action version from v6 to v4 (i.e., replace the version specifier) and
verify the rest of the file and other workflows remain consistent with v4 usage.

- name: Run install.sh
run: ./install.sh
- name: Setup Bats
run: brew install bats-core
- name: Run Bats tests
run: bats tests/
5 changes: 5 additions & 0 deletions .gitleaks.toml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,5 @@
[allowlist]
paths = [
".config/1Password/",
".ssh/config",
]
21 changes: 21 additions & 0 deletions .pre-commit-config.yaml
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,21 @@
repos:
- repo: https://github.com/shellcheck-py/shellcheck-py
rev: v0.10.0.1
hooks:
- id: shellcheck
Comment on lines +2 to +5
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest shellcheck-py version from PyPI
pip index versions shellcheck-py 2>/dev/null | head -20 || echo "PyPI check failed, trying alternative methods"

# Also try to find version info from common sources
curl -s "https://api.github.com/repos/shellcheck-py/shellcheck-py/releases" 2>/dev/null | grep -o '"tag_name": "[^"]*"' | head -5 || echo "GitHub API failed"

Repository: fumiya-kume/dotfiles

Length of output: 150

🌐 Web query:

shellcheck-py latest version 2024 2025

💡 Result:

  • Latest in 2024: shellcheck-py 0.10.0.1 — released Mar 17, 2024. [1]
  • Latest in 2025: shellcheck-py 0.11.0.1 — released Aug 9, 2025. [1]

Sources: PyPI release history for shellcheck-py. [1]

ShellCheckのバージョンをv0.11.0.1に更新してください。

現在のv0.10.0.1はバージョンが古くなっています。最新バージョンはv0.11.0.1です(2025年8月9日リリース)。新しいバージョンに更新することで、最新のShell機能チェックと問題検出が可能になります。

🤖 Prompt for AI Agents 
In .pre-commit-config.yaml around lines 2 to 5, the shellcheck-py hook is pinned
to rev v0.10.0.1; update the rev value to v0.11.0.1 so the hook uses the latest
ShellCheck release (v0.11.0.1). Save the file and run pre-commit autoupdate or
re-install hooks to ensure the new version is picked up.


- repo: https://github.com/scop/pre-commit-shfmt
rev: v3.8.0-1
hooks:
- id: shfmt
args: [-i, "2", -ci, -w]
Comment on lines +7 to +11
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🏁 Script executed:

#!/bin/bash
# Check latest version of pre-commit-shfmt from GitHub releases
# Using curl instead of gh API for better compatibility

curl -s https://api.github.com/repos/scop/pre-commit-shfmt/releases/latest | jq -r '.tag_name'

Repository: fumiya-kume/dotfiles

Length of output: 68

🏁 Script executed:

#!/bin/bash
# Try direct GitHub API without jq filtering first to see full response
curl -s https://api.github.com/repos/scop/pre-commit-shfmt/releases/latest | head -20

Repository: fumiya-kume/dotfiles

Length of output: 207

🌐 Web query:

pre-commit-shfmt latest version release github scop

💡 Result:

The latest release/tag for scop/pre-commit-shfmt is v3.12.0-2. (github.com)

Citations:

shfmtのバージョンを更新してください。

現在のバージョン v3.8.0-1 は古くなっており、最新バージョン v3.12.0-2 へ更新することをお勧めします。設定されている引数(2スペースインデント、switch caseのインデント、自動書き込み)は適切です。

🤖 Prompt for AI Agents 
In .pre-commit-config.yaml around lines 7 to 11 the shfmt hook rev is pinned to
v3.8.0-1 which is outdated; update the rev field to v3.12.0-2 while keeping the
existing args ([-i, "2", -ci, -w]) unchanged so the hook uses the newer shfmt
release.


- repo: https://github.com/gitleaks/gitleaks
rev: v8.18.4
hooks:
- id: gitleaks
Comment on lines +13 to +16
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟠 Major

🧩 Analysis chain

🌐 Web query:

gitleaks latest version 2024 2025

💡 Result:

As of Dec 30, 2025:

  • Latest gitleaks release: v8.30.0 (released Nov 26, 2025). [1]

Latest releases in 2024:

  • Newest gitleaks release in 2024: v8.22.1 (Dec 30, 2024). [2]

Sources:
[1] gitleaks GitHub releases (v8.30.0).
[2] mise-versions gitleaks release timeline (shows v8.22.1 on Dec 30, 2024).

🌐 Web query:

gitleaks v8.18.4 security advisory vulnerability

💡 Result:

Short answer: There is no public security advisory specifically for gitleaks v8.18.4 — that release is a small patch (rule/regex updates) rather than a security-fix release. For vulnerability listings and which versions are affected, see Snyk's gitleaks vulnerability page and the v8.18.4 changelog/merge request. [1][2]

Sources

  • Snyk — gitleaks vulnerability listings (shows CVEs and which versions are affected/fixed). [1]
  • GitLab merge request / changelog for gitleaks v8.18.4 (release notes showing rule/regex changes). [2]

If you want, I can: (a) list the CVEs Snyk attributes to gitleaks and which versions fix them, or (b) check the latest gitleaks release and security advisories and recommend an upgrade path.

Gitleaksのバージョンを更新してください。

現在v8.18.4が使用されていますが、最新バージョンはv8.30.0(2025年11月26日リリース)です。.pre-commit-config.yamlrevをv8.30.0に更新し、セキュリティと機能の改善を適用してください。

🤖 Prompt for AI Agents 
.pre-commit-config.yaml around lines 13 to 16: update the gitleaks hook revision
from v8.18.4 to the latest v8.30.0 by changing the rev value to "v8.30.0" so the
pre-commit configuration uses the newer release; save the file and run
pre-commit autoupdate or validate the config to ensure the updated hook resolves
correctly.


- repo: https://github.com/adrienverge/yamllint
rev: v1.35.1
hooks:
- id: yamllint
Comment on lines +18 to +21
Copy link
Copy Markdown

@coderabbitai coderabbitai Bot Dec 30, 2025

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

⚠️ Potential issue | 🟡 Minor

🧩 Analysis chain

🌐 Web query:

yamllint latest release version 2025 github adrienverge

💡 Result:

The latest yamllint release is v1.37.1 (tag v1.37.1), published May 4, 2025. [1][2]

Sources:

  • PyPI release metadata for yamllint 1.37.1 (upload May 4, 2025). [1]
  • adrienverge/yamllint GitHub repository (tags/releases). [2]

yamllintを最新バージョンv1.37.1に更新してください。

現在v1.35.1が設定されていますが、最新バージョンはv1.37.1です。依存関係を最新に保つため、revをv1.37.1に更新することをお勧めします。

🤖 Prompt for AI Agents 
In .pre-commit-config.yaml around lines 18 to 21, the yamllint hook is pinned to
rev v1.35.1; update the rev value to v1.37.1 to use the latest yamllint release.
Edit that block replacing rev: v1.35.1 with rev: v1.37.1 and save the file, then
run pre-commit autoupdate or reinstall hooks (pre-commit clean && pre-commit
install) to ensure the new version is applied.

3 changes: 1 addition & 2 deletions home/.zshrc
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -61,14 +61,13 @@ h() {
emulate -L zsh
local selected src
src=$(builtin fc -ln 1 2>/dev/null) || return
selected=$(printf '%s\n' "${(f)src}" | awk '{a[NR]=$0} END{for(i=NR;i>=1;i--)if(!seen[a[i]]++)print a[i]}' | peco) || return
selected=$(print -l -- "${(f)src}" | awk '{a[NR]=$0} END{for(i=NR;i>=1;i--)if(!seen[a[i]]++)print a[i]}' | peco) || return
[[ -z "$selected" ]] && return
print -s -- "$selected"
echo "+ $selected"
eval "$selected"
}
# hide typed 'h' line just before execution
autoload -Uz add-zsh-hook
hide_h_preexec() {
if [[ "$1" == "h" ]]; then
print -n -- $'\e[1A\e[2K\r'
Expand Down
18 changes: 9 additions & 9 deletions install.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -30,12 +30,12 @@ link() {
should_skip() {
local name="$1"
case "$name" in
.|..) return 0 ;;
.DS_Store|.localized) return 0 ;;
.git|.gitignore|.gitattributes|.gitmodules) return 0 ;;
*.swp|*.swo|*~) return 0 ;;
.*.bak|.*.backup) return 0 ;;
.env|.env.*|*.secret) return 0 ;;
. | ..) return 0 ;;
.DS_Store | .localized) return 0 ;;
.git | .gitignore | .gitattributes | .gitmodules) return 0 ;;
*.swp | *.swo | *~) return 0 ;;
.*.bak | .*.backup) return 0 ;;
.env | .env.* | *.secret) return 0 ;;
*) return 1 ;;
esac
}
Expand Down Expand Up @@ -67,7 +67,7 @@ if [[ -d "$DOTFILES_DIR/.ssh" ]]; then
[[ -e "$f" ]] || continue
name="$(basename "$f")"
case "$name" in
config|known_hosts|*.pub)
config | known_hosts | *.pub)
chmod 600 "$f"
link "$f" "$HOME/.ssh/$name"
;;
Expand All @@ -87,7 +87,7 @@ if [[ -d "$DOTFILES_DIR/.gnupg" ]]; then
[[ -e "$f" ]] || continue
name="$(basename "$f")"
case "$name" in
gpg-agent.conf|gpg.conf|pubring.kbx|sshcontrol)
gpg-agent.conf | gpg.conf | pubring.kbx | sshcontrol)
link "$f" "$HOME/.gnupg/$name"
;;
*)
Expand Down Expand Up @@ -156,7 +156,7 @@ setup_uv_completion() {
"uv --generate-completion zsh" \
"uv completions zsh"; do
if output=$(eval "$cmd" 2>/dev/null) && [[ -n "$output" ]]; then
printf '%s\n' "$output" > "$out"
printf '%s\n' "$output" >"$out"
log "Generated uv zsh completion: $out"
return 0
fi
Expand Down
2 changes: 1 addition & 1 deletion scripts/install-homebrew.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -9,5 +9,5 @@ fi

echo "Installing Homebrew..."
echo "This requires administrator privileges."
sudo -v # Prompt for password and cache credentials
sudo -v # Prompt for password and cache credentials
NONINTERACTIVE=1 /bin/bash -c "$(curl -fsSL https://raw.githubusercontent.com/Homebrew/install/HEAD/install.sh)"
15 changes: 9 additions & 6 deletions scripts/setup-macos.sh
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -1,3 +1,6 @@
#!/usr/bin/env bash
set -euo pipefail

defaults write com.apple.finder AppleShowAllFiles TRUE
defaults write NSGlobalDomain AppleShowAllExtensions -bool true
defaults write com.apple.finder QLEnableTextSelection -bool true
Expand All @@ -6,8 +9,8 @@ defaults write com.apple.driver.AppleBluetoothMultitouch.trackpad Clicking -bool
defaults write com.apple.Preview NSQuitAlwaysKeepsWindows -bool false
defaults write com.apple.dock autohide -bool true
defaults write NSGlobalDomain NSNavPanelExpandedStateForSaveMode -boolean true
defaults write com.apple.driver.AppleBluetoothMultitouch.trackpad TrackpadThreeFingerDrag -bool true && \
defaults write com.apple.AppleMultitouchTrackpad TrackpadThreeFingerDrag -bool true
defaults write com.apple.driver.AppleBluetoothMultitouch.trackpad TrackpadThreeFingerDrag -bool true &&
defaults write com.apple.AppleMultitouchTrackpad TrackpadThreeFingerDrag -bool true
defaults write com.apple.dock static-only -bool true
defaults write com.apple.TextEdit RichText -int 0
sudo chflags nohidden /Volumes
Expand All @@ -18,9 +21,9 @@ defaults write com.apple.menuextra.clock DateFormat -string "M\u6708d\u65e5(EEE)
defaults -currentHost write -globalDomain AppleFontSmoothing -int 2

defaults write com.apple.systemuiserver menuExtras -array \
"/System/Library/CoreServices/Menu Extras/Bluetooth.menu" \
"/System/Library/CoreServices/Menu Extras/AirPort.menu" \
"/System/Library/CoreServices/Menu Extras/Battery.menu" \
"/System/Library/CoreServices/Menu Extras/Clock.menu"
"/System/Library/CoreServices/Menu Extras/Bluetooth.menu" \
"/System/Library/CoreServices/Menu Extras/AirPort.menu" \
"/System/Library/CoreServices/Menu Extras/Battery.menu" \
"/System/Library/CoreServices/Menu Extras/Clock.menu"

killall Finder
31 changes: 31 additions & 0 deletions tests/symlinks.bats
View file
Open in desktop
Original file line number Diff line number Diff line change
@@ -0,0 +1,31 @@
#!/usr/bin/env bats

@test ".zshrc is symlink" {
[ -L "$HOME/.zshrc" ]
}

@test ".zshrc points to dotfiles" {
run readlink "$HOME/.zshrc"
[[ "$output" == *"dotfiles/home/.zshrc"* ]]
}

@test ".zprofile is symlink" {
[ -L "$HOME/.zprofile" ]
}

@test ".gitconfig is symlink" {
[ -L "$HOME/.gitconfig" ]
}

@test "starship.toml is symlink" {
[ -L "$HOME/.config/starship.toml" ]
}

@test ".tigrc is symlink" {
[ -L "$HOME/.tigrc" ]
}

@test "install.sh is idempotent" {
./install.sh
./install.sh
}