Refactor shell scripts

.tool-versions

@@ -7,9 +7,14 @@ pre-commit 3.4.0
 # The section below is reserved for Docker image versions.
 
 # TODO: Move this section - consider using a different file for the repository template dependencies.
+# docker/ghcr.io/anchore/grype v0.69.1@sha256:d41fcb371d0af59f311e72123dff46900ebd6d0482391b5a830853ee4f9d1a76 # SEE: https://github.com/anchore/grype/pkgs/container/grype
+# docker/ghcr.io/anchore/syft v0.92.0@sha256:63c60f0a21efb13e80aa1359ab243e49213b6cc2d7e0f8179da38e6913b997e0 # SEE: https://github.com/anchore/syft/pkgs/container/syft
 # docker/ghcr.io/gitleaks/gitleaks v8.18.0@sha256:fd2b5cab12b563d2cc538b14631764a1c25577780e3b7dba71657d58da45d9d9 # SEE: https://github.com/gitleaks/gitleaks/pkgs/container/gitleaks
+# docker/ghcr.io/igorshubovych/markdownlint-cli v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d # SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli
+# docker/ghcr.io/make-ops-tools/gocloc latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032 # SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc
 # docker/ghcr.io/nhs-england-tools/github-runner-image 20230909-321fd1e-rt@sha256:ce4fd6035dc450a50d3cbafb4986d60e77cb49a71ab60a053bb1b9518139a646 # SEE: https://github.com/nhs-england-tools/github-runner-image/pkgs/container/github-runner-image
 # docker/hadolint/hadolint 2.12.0-alpine@sha256:7dba9a9f1a0350f6d021fb2f6f88900998a4fb0aaf8e4330aa8c38544f04db42 # SEE: https://hub.docker.com/r/hadolint/hadolint/tags
 # docker/hashicorp/terraform 1.5.6@sha256:180a7efa983386a27b43657ed610e9deed9e6c3848d54f9ea9b6cb8a5c8c25f5 # SEE: https://hub.docker.com/r/hashicorp/terraform/tags
 # docker/koalaman/shellcheck latest@sha256:e40388688bae0fcffdddb7e4dea49b900c18933b452add0930654b2dea3e7d5c # SEE: https://hub.docker.com/r/koalaman/shellcheck/tags
+# docker/mstruebing/editorconfig-checker 2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24 # SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags
 # docker/sonarsource/sonar-scanner-cli 5.0.1@sha256:494ecc3b5b1ee1625bd377b3905c4284e4f0cc155cff397805a244dee1c7d575 # SEE: https://hub.docker.com/r/sonarsource/sonar-scanner-cli/tags

scripts/docker/docker.lib.sh

@@ -27,8 +27,8 @@ function docker-build() {
 
   version-create-effective-file
   _create-effective-dockerfile
-  # The current directory must be changed for the image build script to access
-  # assets that need to be copied
+  # The current directory must be changed for the image build script to access
+  # assets that need to be copied
   current_dir=$(pwd)
   cd "$dir"
   docker build \
@@ -164,7 +164,7 @@ function docker-get-image-version-and-pull() {
   #   digest="sha256:hash"
 
   # Get the image full version from the '.tool-versions' file,
-  # match it by name and version regex, if given.
+  # match it by name and version regex, if given.
   local versions_file="${TOOL_VERSIONS:=$(git rev-parse --show-toplevel)/.tool-versions}"
   local version="latest"
   if [ -f "$versions_file" ]; then

scripts/docker/dockerfile-linter.sh

@@ -12,8 +12,8 @@ set -euo pipefail
 #
 # Arguments (provided as environment variables):
 #   file=Dockerfile         # Path to the Dockerfile to lint, relative to the project's top-level directory, default is './Dockerfile.effective'
-#   VERBOSE=true            # Show all the executed commands, default is 'false'
 #   FORCE_USE_DOCKER=true   # If set to true the command is run in a Docker container, default is 'false'
+#   VERBOSE=true            # Show all the executed commands, default is 'false'
 
 # ==============================================================================
 

scripts/docker/tests/docker.test.sh

@@ -73,12 +73,12 @@ function test-docker-build() {
 
 function test-docker-image-from-signature() {
 
-  # Arrange
+  # Arrange
   TOOL_VERSIONS="$(git rev-parse --show-toplevel)/scripts/docker/tests/.tool-versions.test"
   cp Dockerfile Dockerfile.effective
-  # Act
+  # Act
   _replace-image-latest-by-specific-version
-  # Assert
+  # Assert
   grep -q "FROM python:.*-alpine.*@sha256:.*" Dockerfile.effective && return 0 || return 1
 }
 

scripts/githooks/check-file-format.sh

@@ -6,13 +6,16 @@ set -euo pipefail
 
 # Pre-commit git hook to check the EditorConfig rules compliance over changed
 # files. It ensures all non-binary files across the codebase are formatted
-# according to the style defined in the `.editorconfig` file.
+# according to the style defined in the `.editorconfig` file. This is a
+# editorconfig command wrapper. It will run editorconfig natively if it is
+# installed, otherwise it will run it in a Docker container.
 #
 # Usage:
 #   $ check={all,staged-changes,working-tree-changes,branch} [dry_run=true] ./check-file-format.sh
 #
 # Options:
 #   BRANCH_NAME=other-branch-than-main  # Branch to compare with, default is `origin/main`
+#   FORCE_USE_DOCKER=true               # If set to true the command is run in a Docker container, default is 'false'
 #   VERBOSE=true                        # Show all the executed commands, default is `false`
 #
 # Exit codes:
@@ -38,12 +41,6 @@ set -euo pipefail
 
 # ==============================================================================
 
-# SEE: https://hub.docker.com/r/mstruebing/editorconfig-checker/tags, use the `linux/amd64` os/arch
-image_version=2.7.1@sha256:dd3ca9ea50ef4518efe9be018d669ef9cf937f6bb5cfe2ef84ff2a620b5ddc24
-
-# ==============================================================================
-
-
 function main() {
 
   cd "$(git rev-parse --show-toplevel)"
@@ -70,13 +67,42 @@ function main() {
       ;;
   esac
 
+  if command -v editorconfig > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    filter="$filter" dry_run_opt="${dry_run_opt:-}" cli-run-editorconfig
+  else
+    filter="$filter" dry_run_opt="${dry_run_opt:-}" docker-run-editorconfig
+  fi
+}
+
+# Run editorconfig natively.
+# Arguments (provided as environment variables):
+#   dry_run_opt=[dry run option]
+#   filter=[filter for files to check]
+function cli-run-editorconfig() {
+
+  # shellcheck disable=SC2046,SC2086
+  editorconfig \
+    --exclude '.git/' $dry_run_opt $($filter)
+}
+
+# Run editorconfig in a Docker container.
+# Arguments (provided as environment variables):
+#   dry_run_opt=[dry run option]
+#   filter=[filter for files to check]
+function docker-run-editorconfig() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+
+  # shellcheck disable=SC2155
+  local image=$(name=mstruebing/editorconfig-checker docker-get-image-version-and-pull)
   # We use /dev/null here as a backstop in case there are no files in the state
   # we choose. If the filter comes back empty, adding `/dev/null` onto it has
   # the effect of preventing `ec` from treating "no files" as "all the files".
   docker run --rm --platform linux/amd64 \
     --volume "$PWD":/check \
-    mstruebing/editorconfig-checker:$image_version \
-      sh -c "ec --exclude '.git/' ${dry_run_opt:-} \$($filter) /dev/null"
+    "$image" \
+      sh -c "ec --exclude '.git/' $dry_run_opt \$($filter) /dev/null"
 }
 
 # ==============================================================================

scripts/githooks/check-markdown-format.sh

@@ -5,13 +5,16 @@
 set -euo pipefail
 
 # Pre-commit git hook to check the Markdown file formatting rules compliance
-# over changed files.
+# over changed files. This is a markdownlint command wrapper. It will run
+# markdownlint natively if it is installed, otherwise it will run it in a Docker
+# container.
 #
 # Usage:
 #   $ check={all,staged-changes,working-tree-changes,branch} ./check-markdown-format.sh
 #
 # Options:
 #   BRANCH_NAME=other-branch-than-main  # Branch to compare with, default is `origin/main`
+#   FORCE_USE_DOCKER=true               # If set to true the command is run in a Docker container, default is 'false'
 #   VERBOSE=true                        # Show all the executed commands, default is `false`
 #
 # Exit codes:
@@ -27,11 +30,6 @@ set -euo pipefail
 
 # ==============================================================================
 
-# SEE: https://github.com/igorshubovych/markdownlint-cli/pkgs/container/markdownlint-cli, use the `linux/amd64` os/arch
-image_version=v0.37.0@sha256:fb3e79946fce78e1cde84d6798c6c2a55f2de11fc16606a40d49411e281d950d
-
-# ==============================================================================
-
 function main() {
 
   cd "$(git rev-parse --show-toplevel)"
@@ -53,15 +51,43 @@ function main() {
   esac
 
   if [ -n "$files" ]; then
-    # shellcheck disable=SC2086
-    docker run --rm --platform linux/amd64 \
-      --volume "$PWD":/workdir \
-      ghcr.io/igorshubovych/markdownlint-cli:$image_version \
-        $files \
-        --config /workdir/scripts/config/markdownlint.yaml
+    if command -v markdownlint > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+      files="$files" cli-run-markdownlint
+    else
+      files="$files" docker-run-markdownlint
+    fi
   fi
 }
 
+# Run markdownlint natively.
+# Arguments (provided as environment variables):
+#   files=[files to check]
+function cli-run-markdownlint() {
+
+  # shellcheck disable=SC2086
+  markdownlint \
+    $files \
+    --config "$PWD/scripts/config/markdownlint.yaml"
+}
+
+# Run markdownlint in a Docker container.
+# Arguments (provided as environment variables):
+#   files=[files to check]
+function docker-run-markdownlint() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+
+  # shellcheck disable=SC2155
+  local image=$(name=ghcr.io/igorshubovych/markdownlint-cli docker-get-image-version-and-pull)
+  # shellcheck disable=SC2086
+  docker run --rm --platform linux/amd64 \
+    --volume "$PWD":/workdir \
+    "$image" \
+      $files \
+      --config /workdir/scripts/config/markdownlint.yaml
+}
+
 # ==============================================================================
 
 function is-arg-true() {

scripts/githooks/check-terraform-format.sh

@@ -11,8 +11,8 @@ set -euo pipefail
 #
 # Options:
 #   check_only=true         # Do not format, run check only, default is 'false'
-#   VERBOSE=true            # Show all the executed commands, default is 'false'
 #   FORCE_USE_DOCKER=true   # If set to true the command is run in a Docker container, default is 'false'
+#   VERBOSE=true            # Show all the executed commands, default is 'false'
 
 # ==============================================================================
 

scripts/githooks/scan-secrets.sh

@@ -4,15 +4,17 @@
 
 set -euo pipefail
 
-# Pre-commit git hook to scan for secrets hard-coded in the codebase.
+# Pre-commit git hook to scan for secrets hard-coded in the codebase. This is a
+# gitleaks command wrapper. It will run gitleaks natively if it is installed,
+# otherwise it will run it in a Docker container.
 #
 # Usage:
 #   $ ./scan-secrets.sh
 #
 # Options:
 #   check={whole-history,last-commit,staged-changes}  # Type of the check to run, default is 'staged-changes'
-#   VERBOSE=true                                      # Show all the executed commands, default is 'false'
 #   FORCE_USE_DOCKER=true                             # If set to true the command is run in a Docker container, default is 'false'
+#   VERBOSE=true                                      # Show all the executed commands, default is 'false'
 #
 # Exit codes:
 #   0 - No leaks present

scripts/init.mk

@@ -88,7 +88,7 @@ else
 	.SHELLFLAGS := -ce
 endif
 
-# This script parses all the make target descriptions and renders the help output.
+# This script parses all the make target descriptions and renders the help output.
 HELP_SCRIPT = \
 	\
 	use Text::Wrap; \

scripts/reports/cloc-repository.sh

@@ -4,19 +4,17 @@
 
 set -euo pipefail
 
-# Count lines of code of this repository.
+# Count lines of code of this repository. This is a gocloc command wrapper. It
+# will run gocloc natively if it is installed, otherwise it will run it in a
+# Docker container.
 #
 # Usage:
 #   $ ./cloc-repository.sh
 #
 # Options:
-#   VERBOSE=true                        # Show all the executed commands, default is `false`
 #   BUILD_DATETIME=%Y-%m-%dT%H:%M:%S%z  # Build datetime, default is `date -u +'%Y-%m-%dT%H:%M:%S%z'`
-
-# ==============================================================================
-
-# SEE: https://github.com/make-ops-tools/gocloc/pkgs/container/gocloc, use the `linux/amd64` os/arch
-image_version=latest@sha256:6888e62e9ae693c4ebcfed9f1d86c70fd083868acb8815fe44b561b9a73b5032
+#   FORCE_USE_DOCKER=true               # If set to true the command is run in a Docker container, default is 'false'
+#   VERBOSE=true                        # Show all the executed commands, default is `false`
 
 # ==============================================================================
 
@@ -28,20 +26,44 @@ function main() {
   enrich-report
 }
 
+# Create the report.
 function create-report() {
 
+  if command -v gocloc > /dev/null 2>&1 && ! is-arg-true "${FORCE_USE_DOCKER:-false}"; then
+    cli-run-gocloc
+  else
+    docker-run-gocloc
+  fi
+  # shellcheck disable=SC2002
+  cat cloc-report.tmp.json \
+    | jq -r '["Language","files","blank","comment","code"],["--------"],(.languages[]|[.name,.files,.blank,.comment,.code]),["-----"],(.total|["TOTAL",.files,.blank,.comment,.code])|@tsv' \
+    | sed 's/Plain Text/Plaintext/g' \
+    | column -t
+}
+
+# Run gocloc natively.
+function cli-run-gocloc() {
+
+  gocloc --output-type=json . > cloc-report.tmp.json
+}
+
+# Run gocloc in a Docker container.
+function docker-run-gocloc() {
+
+  # shellcheck disable=SC1091
+  source ./scripts/docker/docker.lib.sh
+
+  # shellcheck disable=SC2155
+  local image=$(name=ghcr.io/make-ops-tools/gocloc docker-get-image-version-and-pull)
   docker run --rm --platform linux/amd64 \
     --volume "$PWD":/workdir \
-    ghcr.io/make-ops-tools/gocloc:$image_version \
+    "$image" \
       --output-type=json \
       . \
   > cloc-report.tmp.json
-  if which jq > /dev/null && which column > /dev/null; then
-    # shellcheck disable=SC2002
-    cat cloc-report.tmp.json | jq -r '["Language","files","blank","comment","code"],["--------"],(.languages[]|[.name,.files,.blank,.comment,.code]),["-----"],(.total|["TOTAL",.files,.blank,.comment,.code])|@tsv' | column -t
-  fi
 }
 
+# Include additional information in the report.
 function enrich-report() {
 
   build_datetime=${BUILD_DATETIME:-$(date -u +'%Y-%m-%dT%H:%M:%S%z')}