replicate · meatballhat · Apr 24, 2025 · Apr 24, 2025 · Apr 24, 2025
diff --git a/.github/workflows/ci.yaml b/.github/workflows/ci.yaml
@@ -25,3 +25,14 @@ jobs:
     with:
       image: valkey
       context: docker-images/valkey
+
+  lint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - uses: luizm/action-sh-checker@master
+        env:
+          GITHUB_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          SHFMT_OPTS: -i 4
+        with:
+          sh_checker_comment: true
diff --git a/docker-images/valkey/valkey-entrypoint/reload-certs b/docker-images/valkey/valkey-entrypoint/reload-certs
@@ -2,6 +2,7 @@
 set -eu
 
 # source the functions
+# shellcheck source=/dev/null
 . /opt/valkey/entrypoint/functions
 
 wait_for_valkey
@@ -19,7 +20,7 @@ trap handle_sigterm SIGTERM
 while $running; do
 
     # Ensure that a SIGTERM causes a fast exit of this process
-    for _ in $(seq 1 $RELOAD_INTERVAL); do
+    for _ in $(seq 1 "${RELOAD_INTERVAL}"); do
         if ! $running; then
             exit 0
         fi
@@ -28,5 +29,6 @@ while $running; do
     echo "Reloading TLS certificates"
 
     # We can connect to the local redis instance to reload the cert as this run on each valkey instance
+    # shellcheck disable=SC2086,SC2154
     valkey-cli $common_args --raw CONFIG GET tls-key-file | tail -n1 | head -c -1 | valkey-cli $common_args -x CONFIG SET tls-key-file
 done
diff --git a/docker-images/valkey/valkey-entrypoint/replication-coordinator b/docker-images/valkey/valkey-entrypoint/replication-coordinator
@@ -2,14 +2,15 @@
 set -euo pipefail
 
 # source the functions
+# shellcheck source=/dev/null
 . /opt/valkey/entrypoint/functions
 
 wait_for_valkey
 
 echo "Waiting for Valkey Sentinel to be ready"
 wait_for_sentinel "valkey-sentinel" "26379"
 
-SENTINEL_QUORUM=$(get_sentinel_quorum ${VALKEY_REQUIRED_SENTINELS})
+SENTINEL_QUORUM=$(get_sentinel_quorum "${VALKEY_REQUIRED_SENTINELS}")
 
 echo "Discovering Valkey Master via Sentinel"
 MASTER=$(get_master_addr_by_name "valkey-sentinel" "${VALKEY_NAME}")
@@ -30,6 +31,7 @@ if [[ "${MASTER}" == "null" ]]; then
         fi
     done
 
+    # shellcheck disable=SC2086,SC2154
     valkey-cli $common_args -p 6379 REPLICAOF no one
     echo "Notifying all Sentinels"
 
@@ -64,7 +66,8 @@ else
 
     echo "Master found: ${MASTER_ADDR}:${MASTER_PORT}"
     echo "Sending 'REPLICAOF ${MASTER_ADDR} ${MASTER_PORT}' to local Valkey"
-    valkey-cli $common_args -p 6379 REPLICAOF ${MASTER_ADDR} ${MASTER_PORT}
+    # shellcheck disable=SC2086
+    valkey-cli $common_args -p 6379 REPLICAOF "${MASTER_ADDR}" "${MASTER_PORT}"
 fi
 
 touch /opt/valkey/etc/ready

diff --git a/redis-base/reload-certs.sh b/redis-base/reload-certs.sh
@@ -1,15 +1,17 @@
-#!/bin/sh
-
+#!/usr/bin/env bash
 set -eu
 
 apk add --no-cache redis
 
 # Note: using REDIS_URL works because we know there's a single replica.
 # If we ever introduce read replicas, we'd need to connect to each one to force cert reload.
-redis_args="-e --tls -u $REDIS_URL"
+redis_args=(-e --tls -u "${REDIS_URL}")
 
 if [ -e /srv/redis-ca-bundle/ca-certs.crt ]; then
-    redis_args="$redis_args --cacert /srv/redis-ca-bundle/ca-certs.crt"
+    redis_args=("${redis_args[@]}" --cacert /srv/redis-ca-bundle/ca-certs.crt)
 fi
 
-redis-cli $redis_args --raw CONFIG GET tls-key-file | tail -n1 | head -c -1 | redis-cli $redis_args -x CONFIG SET tls-key-file
+redis-cli "${redis_args[@]}" --raw CONFIG GET tls-key-file |
+    tail -n1 |
+    head -c -1 |
+    redis-cli "${redis_args[@]}" -x CONFIG SET tls-key-file
diff --git a/redis-instance/reload-certs.sh b/redis-instance/reload-certs.sh
@@ -1,15 +1,17 @@
-#!/bin/sh
-
+#!/usr/bin/env bash
 set -eu
 
 apk add --no-cache redis
 
 # Note: using REDIS_URL works because we know there's a single replica.
 # If we ever introduce read replicas, we'd need to connect to each one to force cert reload.
-redis_args="-e --tls -u $REDIS_URL"
+redis_args=(-e --tls -u "${REDIS_URL}")
 
 if [ -e /srv/redis-ca-bundle/ca-certs.crt ]; then
-    redis_args="$redis_args --cacert /srv/redis-ca-bundle/ca-certs.crt"
+    redis_args=("${redis_args[@]}" --cacert /srv/redis-ca-bundle/ca-certs.crt)
 fi
 
-redis-cli $redis_args --raw CONFIG GET tls-key-file | tail -n1 | head -c -1 | redis-cli $redis_args -x CONFIG SET tls-key-file
+redis-cli "${redis_args[@]}" --raw CONFIG GET tls-key-file |
+    tail -n1 |
+    head -c -1 |
+    redis-cli "${redis_args[@]}" -x CONFIG SET tls-key-file
diff --git a/script/format b/script/format
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(git rev-parse --show-toplevel)"
+shfmt -f . | xargs shfmt -i 4 -w
diff --git a/script/lint b/script/lint
@@ -0,0 +1,5 @@
+#!/usr/bin/env bash
+set -euo pipefail
+
+cd "$(git rev-parse --show-toplevel)"
+shfmt -f . | xargs shellcheck