Add oelint-adv linting with a clean, blocking CI gate

.github/workflows/oelint.yaml

@@ -0,0 +1,25 @@
+name: OE Lint
+
+on:
+  pull_request:
+  merge_group:
+  push:
+    branches:
+      - master
+
+concurrency:
+  group: ${{ github.repository }}-${{ github.workflow }}-${{ github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  oelint:
+    runs-on: ubuntu-latest
+    steps:
+      - uses: ossystems/nix-actions@v1
+        with:
+          install-nix: true
+          flake-check: false
+          build-hosts: false
+          build-devshells: false
+          devshell: github:OSSystems/yocto-env.nix#lint
+          run: ./contrib/oelint/run-oelint.sh

.oelint.cfg

@@ -0,0 +1,6 @@
+# oelint-adv defaults, auto-loaded from the working directory. Every recipe
+# here is target-only, so oelint.var.bbclassextend never applies; all other
+# exceptions stay inline as '# nooelint: <rule.id>' comments.
+[oelint]
+release = wrynose
+suppress = oelint.var.bbclassextend

classes/shellhub-rootfs-postcommand.bbclass

@@ -1,3 +1,4 @@
+# nooelint: oelint.bbclass.underscores oelint.file.inlinesuppress_na  no EXPORT_FUNCTIONS here, so the dash is harmless
 # Allow overriding of ShellHub Tenant ID
 #
 # Required variable:
@@ -9,9 +10,9 @@
 #
 # Copyright 2021 (C) O.S. Systems Software LTDA.
 
-
 # Override the TENANT_ID from existing ShellHub configuration file.
-ROOTFS_POSTPROCESS_COMMAND += 'shellhub_override_tenant_id ;'
+ROOTFS_POSTPROCESS_COMMAND += "shellhub_override_tenant_id;"
+shellhub_override_tenant_id[doc] = "Override the ShellHub TENANT_ID in the rootfs config from SHELLHUB_ROOTFS_TENANT_ID."
 shellhub_override_tenant_id () {
     if [ ! -e "${IMAGE_ROOTFS}${sysconfdir}/default/shellhub-agent" ]; then
         bbfatal "'${sysconfdir}/default/shellhub-agent' doesn't exist."

contrib/oelint/run-oelint.sh

@@ -0,0 +1,23 @@
+#!/bin/sh
+# Run oelint-adv over meta-shellhub. Requires oelint-adv on PATH.
+#
+# Configuration is declarative and lives at the layer root: .oelint.cfg
+# (--release plus the bbclassextend suppression) and oelint.constants.json
+# (the layer constant-DB additions). Both are auto-loaded, so this script only
+# enumerates the files to lint.
+set -eu
+
+unset CDPATH
+
+here=$(cd -- "$(dirname -- "$0")" && pwd)
+layer=$(cd -- "$here/../.." && pwd)
+cd -- "$layer"
+
+files=$(find . \
+    \( -name '*.bb' -o -name '*.bbappend' -o -name '*.bbclass' -o -name '*.inc' \) \
+    | sort)
+
+# Run serially: parallel workers race while loading the layer constants and
+# emit spurious "unknown variable/override" findings. Pass '--jobs N' to override.
+# shellcheck disable=SC2086
+exec oelint-adv --jobs 1 "$@" $files

oelint.constants.json

@@ -0,0 +1,11 @@
+{
+    "comment": "Layer constant DB, auto-loaded by oelint-adv from the layer root. Declares the OEL project distro/machine override tokens it cannot know about when run standalone.",
+    "replacements": {
+        "distros": [
+            "oel"
+        ],
+        "machines": [
+            "arm"
+        ]
+    }
+}

recipes-core/packagegroups/packagegroup-shellhub.bb

@@ -1,11 +1,12 @@
 SUMMARY = "ShellHub runtime support"
+DESCRIPTION = "Packagegroup pulling in the ShellHub agent and its runtime dependencies."
+BUGTRACKER = "https://github.com/shellhub-io/shellhub/issues"
+SECTION = "console/network"
 
 LICENSE = "MIT"
 
 inherit packagegroup
 
 PACKAGES += "${PN}-runtime"
 
-RDEPENDS:${PN}-runtime += " \
-    shellhub-agent \
-"
+RDEPENDS:${PN}-runtime = "shellhub-agent"

recipes-core/shellhub/shellhub-agent-config_1.0.bb

@@ -0,0 +1,38 @@
+# nooelint: oelint.var.mandatoryvar.SRC_URI oelint.var.suggestedvar.CVE_PRODUCT  config recipe: it generates its config inline (no SRC_URI) and ships no code to CVE-track
+SUMMARY = "ShellHub Configuration"
+DESCRIPTION = "Generates the global ShellHub agent configuration (server address, private key path and tenant ID)."
+HOMEPAGE = "https://shellhub.io"
+BUGTRACKER = "https://github.com/shellhub-io/shellhub/issues"
+SECTION = "console/network"
+LICENSE = "MIT"
+# nooelint: oelint.var.licenseremotefile  layer-internal recipe, no upstream source to carry a license file
+LIC_FILES_CHKSUM = "file://${COREBASE}/meta/COPYING.MIT;md5=3da9cfbcb788c80a0384361b4de20420"
+INHIBIT_DEFAULT_DEPS = "1"
+
+do_patch[noexec] = "1"
+do_configure[noexec] = "1"
+
+SHELLHUB_SERVER_ADDRESS ??= "https://cloud.shellhub.io"
+SHELLHUB_PRIVATE_KEY ??= "${sysconfdir}/shellhub-agent.key"
+SHELLHUB_TENANT_ID ??= "undefined"
+
+# nooelint: oelint.task.noanonpython  required to SkipRecipe at parse time
+python () {
+    if d.getVar("SHELLHUB_TENANT_ID", False) == "undefined":
+        raise bb.parse.SkipRecipe("To enable ShellHub support, the 'SHELLHUB_TENANT_ID' variable must be set.")
+}
+
+do_compile () {
+    {
+        echo "SERVER_ADDRESS=\"${SHELLHUB_SERVER_ADDRESS}\""
+        echo "PRIVATE_KEY=\"${SHELLHUB_PRIVATE_KEY}\""
+        echo "TENANT_ID=\"${SHELLHUB_TENANT_ID}\""
+    } > shellhub-agent.default
+}
+
+do_install () {
+    # Install the global configuration
+    install -Dm 0644 shellhub-agent.default ${D}${sysconfdir}/default/shellhub-agent
+}
+
+PACKAGE_ARCH = "${MACHINE_ARCH}"

recipes-core/shellhub/shellhub-agent_0.25.1.bb

@@ -1,10 +1,14 @@
 SUMMARY = "ShellHub Agent"
+DESCRIPTION = "ShellHub agent: enables remote SSH access to Linux devices behind firewall or NAT."
 HOMEPAGE = "https://shellhub.io"
+BUGTRACKER = "https://github.com/shellhub-io/shellhub/issues"
+SECTION = "console/network"
+CVE_PRODUCT = "shellhub"
 LICENSE = "Apache-2.0"
 LIC_FILES_CHKSUM = "file://${S}/src/${GO_IMPORT}/LICENSE.md;md5=fa818a259cbed7ce8bc2a22d35a464fc"
 DEPENDS = "libxcrypt"
 
-SRC_URI = " \
+SRC_URI = "\
     git://github.com/shellhub-io/shellhub;protocol=https;nobranch=1;destsuffix=${GO_SRCURI_DESTSUFFIX} \
     file://shellhub-agent.initd \
     file://shellhub-agent.profile.d \
@@ -34,11 +38,12 @@ GO_LDFLAGS = '-ldflags="${GO_RPATH} ${GO_LINKMODE} -X main.AgentVersion=v${PV} -
 GOBUILDFLAGS:append = " -modcacherw"
 
 do_compile[dirs] += "${B}/src/${GO_IMPORT}/agent"
+# nooelint: oelint.task.network  go modules are fetched during compile
 do_compile[network] = "1"
 
 do_install:append() {
     # We name the binary as shellhub-agent
-    mkdir -p ${D}${libexecdir}/shellhub/bin/
+    install -d ${D}${libexecdir}/shellhub/bin/
     mv ${D}${bindir}/agent ${D}${libexecdir}/shellhub/bin/shellhub-agent
 
     # Handle init system integration
@@ -66,9 +71,9 @@ do_install:append() {
 
 RDEPENDS:${PN} += "\
     openssh-scp \
-    shellhub-agent-config \
     shadow \
+    shellhub-agent-config \
 "
+RDEPENDS:${PN}-dev += "bash"
 
 RRECOMMENDS:${PN} += "ca-certificates"
-RDEPENDS:${PN}-dev += "bash"