Extend validate-action-pins with list, updates, and branch-pin support

.github/workflows/ci.yml

@@ -17,6 +17,20 @@ jobs:
       - name: Lint
         run: make lint
 
+  bats:
+    name: BATS
+    runs-on: ubuntu-latest
+    container: ghcr.io/knight-owl-dev/ci-tools:latest
+    steps:
+      - name: Checkout
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+
+      # The default BATS_RUNNER docker-runs the ci-tools image for local
+      # macOS users who may not have bats installed. In CI we're already
+      # inside that image, so override to run bats directly.
+      - name: Run BATS tests
+        run: make test-bats BATS_RUNNER=bats
+
   # Builds run on ubuntu-latest (x86_64) for both architectures. The tools
   # are bash scripts, so nfpm produces valid debs regardless of host arch.
   # Architecture-specific testing happens in test-deb using native runners.

Makefile

@@ -7,10 +7,14 @@ IMAGE_TAG ?= $(IMAGE):local
 VALIDATE_ACTION_PINS := $(shell \
 	command -v validate-action-pins 2>/dev/null \
 	|| echo images/ci-tools/bin/validate-action-pins)
+# Pass `-t` to `docker run` when stdin is a terminal, so TTY-aware tools
+# (bats pretty output, etc.) see a real terminal inside the container.
+# Override with `DOCKER_TTY=` (empty) or `DOCKER_TTY=-t` (force) as needed.
+DOCKER_TTY ?= $(shell test -t 0 && echo -t)
 
 .PHONY: sync resolve build verify scan clean \
 	lint lint-fix lint-lockfile lint-docker lint-sh lint-sh-fmt lint-sh-fmt-fix \
-	lint-actions lint-md lint-md-fix lint-man man test-package help
+	lint-actions lint-md lint-md-fix lint-man man test-package test-bats help
 
 # Resolve latest versions, build, and verify image
 sync: resolve build verify
@@ -28,15 +32,15 @@ build:
 
 # Verify all tools in the built image
 verify:
-	@docker run --rm \
+	@docker run --rm $(DOCKER_TTY) \
 		-v $(CURDIR)/scripts:/scripts \
 		-v $(CURDIR)/images/$(IMAGE)/versions.lock:/versions.lock:ro \
 		$(IMAGE_TAG) /scripts/$(IMAGE)/verify.sh
 
 # Scan image for vulnerabilities
 scan: build
 	@echo "Scanning $(IMAGE_TAG) for vulnerabilities..."
-	@docker run --rm \
+	@docker run --rm $(DOCKER_TTY) \
 		-v /var/run/docker.sock:/var/run/docker.sock \
 		-v $(CURDIR)/images/$(IMAGE)/.trivyignore:/.trivyignore:ro \
 		aquasec/trivy:0.70.0 image \
@@ -59,10 +63,17 @@ lint-lockfile:
 lint-docker:
 	@echo "Linting Dockerfiles..." && hadolint images/*/Dockerfile && echo "OK"
 
-# Lint shell scripts
+# Lint shell scripts.
+#
+# Bats files reference variables bats sets at runtime (output,
+# BATS_TEST_DIRNAME, BATS_TEST_TMPDIR, ...) plus helper-exported ones
+# that shellcheck can't trace across bats_load_library. SC2154
+# ("referenced but not assigned") is suppressed for that directory
+# only, not globally.
 lint-sh:
 	@echo "Linting shell scripts..." \
 		&& shellcheck scripts/*.sh scripts/*/*.sh tests/deb/*.sh images/*/bin/* \
+		&& shellcheck -e SC2154 tests/bats/*/*.bash tests/bats/*/*/*/*.bats \
 		&& echo "OK"
 
 # Check shell script formatting
@@ -106,6 +117,15 @@ man:
 test-package:
 	@./tests/deb/test-all.sh
 
+# Run BATS tests. BATS_RUNNER defaults to running inside the ci-tools
+# container via `docker run`, so `make test-bats` works from a stock
+# macOS host without needing bats installed. CI (already inside the
+# container) overrides with `BATS_RUNNER=bats` to avoid
+# docker-in-docker.
+BATS_RUNNER ?= docker run --rm $(DOCKER_TTY) -v $(CURDIR):/work -w /work $(IMAGE_TAG) bats
+test-bats:
+	@$(BATS_RUNNER) -r tests/bats/
+
 # Remove local image
 clean:
 	@echo "Removing $(IMAGE_TAG) ..."
@@ -135,6 +155,7 @@ help:
 	@echo "  make lint-sh-fmt       Check shell script formatting"
 	@echo "  make lint-sh-fmt-fix   Fix shell script formatting"
 	@echo "  make man               Preview man pages"
+	@echo "  make test-bats         Run BATS tests inside the ci-tools image"
 	@echo "  make test-package      Build and test deb package locally"
 	@echo "  make help              Show this message"
 	@echo ""

cspell.json

@@ -7,6 +7,7 @@
     "busted",
     "chktex",
     "cosign",
+    "dedup",
     "devops",
     "extglob",
     "hadolint",
@@ -16,17 +17,24 @@
     "markdownlint",
     "mikefarah",
     "minimatch",
+    "nameref",
     "nfpm",
+    "nocurl",
+    "nojq",
+    "nosuch",
     "picomatch",
     "rsync",
     "shellcheck",
     "shfmt",
     "sigstore",
     "startswith",
     "stdlib",
+    "stubdir",
     "stylelint",
+    "subcmd",
     "syscall",
     "tinyglobby",
+    "tonumber",
     "trivy",
     "xmlstarlet"
   ]