fix(lint): fix all sonarcloud detected issues (#279)

* fix(ci): replace broad permissions with specific scopes in workflows Replace read-all/write-all with minimum required permission scopes across all GitHub Actions workflows to follow the principle of least privilege (SonarCloud rule githubactions:S8234). * fix(shell): use [[ instead of [ for conditional tests Replace single brackets with double brackets in bash conditional expressions across 14 files (28 changes). All scripts use bash shebangs so [[ is safe everywhere (SonarCloud rule shelldre:S7688). * fix(shell): add explicit return statements to functions Add return 0 as the last statement in ~46 shell functions across 17 files that previously relied on implicit return codes (SonarCloud rule shelldre:S7682). * fix(shell): assign positional parameters to local variables Replace direct $1/$2/$3 usage with named local variables in _log(), msg(), msg_err(), msg_done(), msg_run(), msg_ok(), and array_diff() (SonarCloud rule shelldre:S7679). * fix(python): replace dict() constructor with literal Use {} instead of dict() for empty dictionary initialization (SonarCloud rule python:S7498). * fix(shell): fix husky shebang and tolerate npm outdated exit code * docs(shell): add function docstring comments * fix(shell): fix heredoc indentation in x-sonarcloud * feat(python): add ruff linter and formatter configuration * fix(ci): align megalinter config with biome, ruff, and shfmt settings * fix(ci): disable black and yaml-prettier in megalinter config * chore(ci): update ruff-pre-commit to v0.15.0 and fix hook name * fix(scripts): check for .git dir before skipping clone in install-fonts * fix(shell): address code review issues in scripts and shared.sh - Guard wezterm show-keys failure in create-wezterm-keymaps.sh - Stop masking git failures with return 0 in install-cheat-purebashbible.sh - Add missing shared.sh source in install-xcode-cli-tools.sh - Replace exit 1 with return 1 in sourced shared.sh * fix(scripts): address code review and security findings - Guard wezterm show-keys failure in create-wezterm-keymaps.sh - Stop masking git failures with return 0 in install-cheat-purebashbible.sh - Add missing shared.sh source in install-xcode-cli-tools.sh - Replace exit 1 with return 1 in sourced shared.sh - Remove shell=True subprocess calls in x-git-largest-files.py * style(shell): apply shfmt formatting and add args to pre-commit hook * fix(python): suppress bandit false positives in x-git-largest-files * fix(python): add nosemgrep suppression for check_output call * feat(format): add prettier for YAML formatting Install prettier, add .prettierrc.json config (200-char width, 2-space indent, LF endings), .prettierignore, yarn scripts (lint:prettier, fix:prettier, format:yaml), and pre-commit hook scoped to YAML files. * style(yaml): apply prettier formatting * fix(scripts): address remaining code review findings - Python: use list comprehension to filter empty strings instead of slicing off the last element - create-wezterm-keymaps: write to temp file and mv for atomic updates - install-xcode-cli-tools: fix shellcheck source directive path * fix(python): sort imports alphabetically in x-git-largest-files * fix(lint): disable PYTHON_ISORT in MegaLinter, ruff handles it * chore(git): add __pycache__ to gitignore * fix(python): rename ambiguous variable l to line (E741) * style: remove trailing whitespace and blank lines * style(fzf): apply shfmt formatting * style(shell): apply shfmt formatting * docs(plans): add design documents * style(docs): add language specifier to fenced code block * feat(lint): add markdown-table-formatter to dev tooling Add markdown-table-formatter as a dev dependency with yarn scripts (lint:md-table, fix:md-table) and a local pre-commit hook to automatically format markdown tables on commit.
2026-02-08 03:50:35 +00:00 · 2026-02-07 19:01:02 +02:00
parent cff3d1dd8a
commit 6d72003446
86 changed files with 1264 additions and 425 deletions
--- a/.github/README.md
+++ b/.github/README.md
@@ -37,7 +37,7 @@ see what interesting stuff you've done with it. Sharing is caring.
 ### Interesting folders

 | Path                | Description                                  |
-| ------------------- | -------------------------------------------- |
+|---------------------|----------------------------------------------|
 | `.github`           | GitHub Repository configuration files, meta. |
 | `hosts/{hostname}/` | Configs that should apply to that host only. |
 | `local/bin`         | Helper scripts that I've collected or wrote. |
@@ -52,7 +52,7 @@ is processed by Dotbot during installation.
 ### dotfile folders

 | Repo      | Destination | Description                                 |
-| --------- | ----------- | ------------------------------------------- |
+|-----------|-------------|---------------------------------------------|
 | `base/`   | `.*`        | `$HOME` level files.                        |
 | `config/` | `.config/`  | Configurations for applications.            |
 | `local/`  | `.local/`   | XDG Base folder: `bin`, `share` and `state` |
@@ -86,7 +86,7 @@ The folder structure follows [XDG Base Directory Specification][xdg] where possi
 ### XDG Variables

 | Env                | Default              | Short description                              |
-| ------------------ | -------------------- | ---------------------------------------------- |
+|--------------------|----------------------|------------------------------------------------|
 | `$XDG_BIN_HOME`    | `$HOME/.local/bin`   | Local binaries                                 |
 | `$XDG_CONFIG_HOME` | `$HOME/.config`      | User-specific configs                          |
 | `$XDG_DATA_HOME`   | `$HOME/.local/share` | User-specific data files                       |
--- a/.github/workflows/changelog.yml
+++ b/.github/workflows/changelog.yml
@@ -9,13 +9,15 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  debug-changelog:
    runs-on: ubuntu-latest

-    permissions: write-all
+    permissions:
+      contents: read

    steps:
      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
@@ -27,7 +29,7 @@ jobs:
          token: ${{ secrets.GITHUB_TOKEN }}
          config_file: .github/tag-changelog-config.js

-      - name: 'Echo results'
+      - name: "Echo results"
        id: output-changelog
        run: |
          echo "${{ steps.changelog.outputs.changes }}"
--- a/.github/workflows/linters.yml
+++ b/.github/workflows/linters.yml
@@ -11,7 +11,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  Linter:
--- a/.github/workflows/new-release.yml
+++ b/.github/workflows/new-release.yml
@@ -5,19 +5,21 @@ name: Release Daily State
 on:
  workflow_dispatch:
  schedule:
-    - cron: '0 21 * * *' # 00:00 at Europe/Helsinki
+    - cron: "0 21 * * *" # 00:00 at Europe/Helsinki

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  new-daily-release:
    runs-on: ubuntu-latest

-    permissions: write-all
+    permissions:
+      contents: write

    outputs:
      created: ${{ steps.daily-version.outputs.created }}
--- a/.github/workflows/pre-commit-autoupdate.yml
+++ b/.github/workflows/pre-commit-autoupdate.yml
@@ -5,14 +5,15 @@ name: Pre-commit autoupdate
 on:
  schedule:
    # At 04:00 on Monday and Thursday.
-    - cron: '0 4 * * 1,4'
+    - cron: "0 4 * * 1,4"
  workflow_dispatch:

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  auto-update:
@@ -33,6 +34,6 @@ jobs:
        with:
          token: ${{ secrets.GITHUB_TOKEN }}
          branch: update/pre-commit-hooks
-          title: 'chore: update pre-commit hooks'
-          commit-message: 'chore: update pre-commit hooks'
+          title: "chore: update pre-commit hooks"
+          commit-message: "chore: update pre-commit hooks"
          body: Update versions of pre-commit hooks to latest version.
--- a/.github/workflows/semantic-pr.yml
+++ b/.github/workflows/semantic-pr.yml
@@ -14,7 +14,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  pull-requests: read

 jobs:
  semantic-pr:
--- a/.github/workflows/sync-labels.yml
+++ b/.github/workflows/sync-labels.yml
@@ -11,7 +11,7 @@ on:
      - .github/workflows/sync-labels.yml
      - .github/labels.yml
  schedule:
-    - cron: '34 5 * * *'
+    - cron: "34 5 * * *"
  workflow_call:
  workflow_dispatch:

@@ -19,7 +19,8 @@ concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  SyncLabels:
--- a/.github/workflows/update-submodules.yml
+++ b/.github/workflows/update-submodules.yml
@@ -5,20 +5,22 @@ name: Update submodules
 on:
  schedule:
    # At 04:00 on Monday and Thursday.
-    - cron: '0 4 * * 1'
+    - cron: "0 4 * * 1"
  workflow_dispatch:

 concurrency:
  group: ${{ github.workflow }}-${{ github.ref }}
  cancel-in-progress: true

-permissions: read-all
+permissions:
+  contents: read

 jobs:
  update-submodules:
    runs-on: ubuntu-latest

-    permissions: write-all
+    permissions:
+      contents: write

    steps:
      - name: Checkout repository