diff --git a/.github/workflows/oelint.yaml b/.github/workflows/oelint.yaml new file mode 100644 index 0000000..ec334d7 --- /dev/null +++ b/.github/workflows/oelint.yaml @@ -0,0 +1,25 @@ +name: OE Lint + +on: + pull_request: + merge_group: + push: + branches: + - master + +concurrency: + group: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref }} + cancel-in-progress: true + +jobs: + oelint: + runs-on: ubuntu-latest + steps: + - uses: ossystems/nix-actions@v1 + with: + install-nix: true + flake-check: false + build-hosts: false + build-devshells: false + devshell: github:OSSystems/yocto-env.nix#lint + run: ./contrib/oelint/run-oelint.sh diff --git a/.oelint.cfg b/.oelint.cfg new file mode 100644 index 0000000..647a719 --- /dev/null +++ b/.oelint.cfg @@ -0,0 +1,6 @@ +# oelint-adv defaults, auto-loaded from the working directory. Every recipe +# here is target-only, so oelint.var.bbclassextend never applies; all other +# exceptions stay inline as '# nooelint: ' comments. +[oelint] +release = wrynose +suppress = oelint.var.bbclassextend diff --git a/classes/shellhub-rootfs-postcommand.bbclass b/classes/shellhub-rootfs-postcommand.bbclass index c36a38b..8c24f2f 100644 --- a/classes/shellhub-rootfs-postcommand.bbclass +++ b/classes/shellhub-rootfs-postcommand.bbclass @@ -1,3 +1,4 @@ +# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na no EXPORT_FUNCTIONS here, so the dash is harmless # Allow overriding of ShellHub Tenant ID # # Required variable: @@ -9,9 +10,9 @@ # # Copyright 2021 (C) O.S. Systems Software LTDA. - # Override the TENANT_ID from existing ShellHub configuration file. -ROOTFS_POSTPROCESS_COMMAND += 'shellhub_override_tenant_id ;' +ROOTFS_POSTPROCESS_COMMAND += "shellhub_override_tenant_id;" +shellhub_override_tenant_id[doc] = "Override the ShellHub TENANT_ID in the rootfs config from SHELLHUB_ROOTFS_TENANT_ID." shellhub_override_tenant_id () { if [ ! -e "${IMAGE_ROOTFS}${sysconfdir}/default/shellhub-agent" ]; then bbfatal "'${sysconfdir}/default/shellhub-agent' doesn't exist." diff --git a/contrib/oelint/run-oelint.sh b/contrib/oelint/run-oelint.sh new file mode 100755 index 0000000..09c0562 --- /dev/null +++ b/contrib/oelint/run-oelint.sh @@ -0,0 +1,23 @@ +#!/bin/sh +# Run oelint-adv over meta-shellhub. Requires oelint-adv on PATH. +# +# Configuration is declarative and lives at the layer root: .oelint.cfg +# (--release plus the bbclassextend suppression) and oelint.constants.json +# (the layer constant-DB additions). Both are auto-loaded, so this script only +# enumerates the files to lint. +set -eu + +unset CDPATH + +here=$(cd -- "$(dirname -- "$0")" && pwd) +layer=$(cd -- "$here/../.." && pwd) +cd -- "$layer" + +files=$(find . \ + \( -name '*.bb' -o -name '*.bbappend' -o -name '*.bbclass' -o -name '*.inc' \) \ + | sort) + +# Run serially: parallel workers race while loading the layer constants and +# emit spurious "unknown variable/override" findings. Pass '--jobs N' to override. +# shellcheck disable=SC2086 +exec oelint-adv --jobs 1 "$@" $files diff --git a/oelint.constants.json b/oelint.constants.json new file mode 100644 index 0000000..b53d86d --- /dev/null +++ b/oelint.constants.json @@ -0,0 +1,11 @@ +{ + "comment": "Layer constant DB, auto-loaded by oelint-adv from the layer root. Declares the OEL project distro/machine override tokens it cannot know about when run standalone.", + "replacements": { + "distros": [ + "oel" + ], + "machines": [ + "arm" + ] + } +} diff --git a/recipes-core/packagegroups/packagegroup-shellhub.bb b/recipes-core/packagegroups/packagegroup-shellhub.bb index af5e716..379b868 100644 --- a/recipes-core/packagegroups/packagegroup-shellhub.bb +++ b/recipes-core/packagegroups/packagegroup-shellhub.bb @@ -1,4 +1,7 @@ SUMMARY = "ShellHub runtime support" +DESCRIPTION = "Packagegroup pulling in the ShellHub agent and its runtime dependencies." +BUGTRACKER = "https://github.com/shellhub-io/shellhub/issues" +SECTION = "console/network" LICENSE = "MIT" @@ -6,6 +9,4 @@ inherit packagegroup PACKAGES += "${PN}-runtime" -RDEPENDS:${PN}-runtime += " \ - shellhub-agent \ -" +RDEPENDS:${PN}-runtime = "shellhub-agent" diff --git a/recipes-core/shellhub/shellhub-agent-config.bb b/recipes-core/shellhub/shellhub-agent-config.bb deleted file mode 100644 index 8f171ed..0000000 --- a/recipes-core/shellhub/shellhub-agent-config.bb +++ /dev/null @@ -1,31 +0,0 @@ -SUMMARY = "ShellHub Configuration" -LICENSE = "MIT" -LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" -INHIBIT_DEFAULT_DEPS = "1" - -do_patch[noexec] = "1" -do_configure[noexec] = "1" - -SHELLHUB_SERVER_ADDRESS ??= "https://cloud.shellhub.io" -SHELLHUB_PRIVATE_KEY ??= "${sysconfdir}/shellhub-agent.key" -SHELLHUB_TENANT_ID ??= "undefined" - -python () { - if d.getVar("SHELLHUB_TENANT_ID", False) == "undefined": - raise bb.parse.SkipRecipe("To enable ShellHub support, the 'SHELLHUB_TENANT_ID' variable must be set.") -} - -do_compile () { - cat <<- EOF > shellhub-agent.default - SERVER_ADDRESS="${SHELLHUB_SERVER_ADDRESS}" - PRIVATE_KEY="${SHELLHUB_PRIVATE_KEY}" - TENANT_ID="${SHELLHUB_TENANT_ID}" - EOF -} - -do_install () { - # Install the global configuration - install -Dm 0644 shellhub-agent.default ${D}${sysconfdir}/default/shellhub-agent -} - -PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/recipes-core/shellhub/shellhub-agent-config_1.0.bb b/recipes-core/shellhub/shellhub-agent-config_1.0.bb new file mode 100644 index 0000000..792f579 --- /dev/null +++ b/recipes-core/shellhub/shellhub-agent-config_1.0.bb @@ -0,0 +1,38 @@ +# nooelint: oelint.var.mandatoryvar.SRC_URI oelint.var.suggestedvar.CVE_PRODUCT config recipe: it generates its config inline (no SRC_URI) and ships no code to CVE-track +SUMMARY = "ShellHub Configuration" +DESCRIPTION = "Generates the global ShellHub agent configuration (server address, private key path and tenant ID)." +HOMEPAGE = "https://shellhub.io" +BUGTRACKER = "https://github.com/shellhub-io/shellhub/issues" +SECTION = "console/network" +LICENSE = "MIT" +# nooelint: oelint.var.licenseremotefile layer-internal recipe, no upstream source to carry a license file +LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420" +INHIBIT_DEFAULT_DEPS = "1" + +do_patch[noexec] = "1" +do_configure[noexec] = "1" + +SHELLHUB_SERVER_ADDRESS ??= "https://cloud.shellhub.io" +SHELLHUB_PRIVATE_KEY ??= "${sysconfdir}/shellhub-agent.key" +SHELLHUB_TENANT_ID ??= "undefined" + +# nooelint: oelint.task.noanonpython required to SkipRecipe at parse time +python () { + if d.getVar("SHELLHUB_TENANT_ID", False) == "undefined": + raise bb.parse.SkipRecipe("To enable ShellHub support, the 'SHELLHUB_TENANT_ID' variable must be set.") +} + +do_compile () { + { + echo "SERVER_ADDRESS=\"${SHELLHUB_SERVER_ADDRESS}\"" + echo "PRIVATE_KEY=\"${SHELLHUB_PRIVATE_KEY}\"" + echo "TENANT_ID=\"${SHELLHUB_TENANT_ID}\"" + } > shellhub-agent.default +} + +do_install () { + # Install the global configuration + install -Dm 0644 shellhub-agent.default ${D}${sysconfdir}/default/shellhub-agent +} + +PACKAGE_ARCH = "${MACHINE_ARCH}" diff --git a/recipes-core/shellhub/shellhub-agent_0.25.1.bb b/recipes-core/shellhub/shellhub-agent_0.25.1.bb index bfb25f7..6a818c6 100644 --- a/recipes-core/shellhub/shellhub-agent_0.25.1.bb +++ b/recipes-core/shellhub/shellhub-agent_0.25.1.bb @@ -1,10 +1,14 @@ SUMMARY = "ShellHub Agent" +DESCRIPTION = "ShellHub agent: enables remote SSH access to Linux devices behind firewall or NAT." HOMEPAGE = "https://shellhub.io" +BUGTRACKER = "https://github.com/shellhub-io/shellhub/issues" +SECTION = "console/network" +CVE_PRODUCT = "shellhub" LICENSE = "Apache-2.0" LIC_FILES_CHKSUM = "file://${S}/src/${GO_IMPORT}/LICENSE.md;md5=fa818a259cbed7ce8bc2a22d35a464fc" DEPENDS = "libxcrypt" -SRC_URI = " \ +SRC_URI = "\ git://github.com/shellhub-io/shellhub;protocol=https;nobranch=1;destsuffix=${GO_SRCURI_DESTSUFFIX} \ file://shellhub-agent.initd \ file://shellhub-agent.profile.d \ @@ -34,11 +38,12 @@ GO_LDFLAGS = '-ldflags="${GO_RPATH} ${GO_LINKMODE} -X main.AgentVersion=v${PV} - GOBUILDFLAGS:append = " -modcacherw" do_compile[dirs] += "${B}/src/${GO_IMPORT}/agent" +# nooelint: oelint.task.network go modules are fetched during compile do_compile[network] = "1" do_install:append() { # We name the binary as shellhub-agent - mkdir -p ${D}${libexecdir}/shellhub/bin/ + install -d ${D}${libexecdir}/shellhub/bin/ mv ${D}${bindir}/agent ${D}${libexecdir}/shellhub/bin/shellhub-agent # Handle init system integration @@ -66,9 +71,9 @@ do_install:append() { RDEPENDS:${PN} += "\ openssh-scp \ - shellhub-agent-config \ shadow \ + shellhub-agent-config \ " +RDEPENDS:${PN}-dev += "bash" RRECOMMENDS:${PN} += "ca-certificates" -RDEPENDS:${PN}-dev += "bash"