fix: Add shellcheck workflow and fix script issues

Add automated shellcheck validation via GitHub Actions and fix
shellcheck issues in 5 shell scripts quotes, error handling

Signed-off-by: pavithiran34 <[email protected]>

Author: pavithiran34

.github/workflows/shellcheck.yaml

@@ -0,0 +1,39 @@
+# https://github.com/marketplace/actions/shellcheck
+name: Check shell scripts
+
+on:
+  workflow_dispatch:
+  pull_request:
+    types:
+      - opened
+      - edited
+      - reopened
+      - synchronize
+
+permissions: {}
+
+concurrency:
+  group: ${{ github.workflow }}-${{ github.event.pull_request.number || github.ref }}
+  cancel-in-progress: true
+
+jobs:
+  shellcheck:
+    name: shellcheck
+    runs-on: ubuntu-24.04
+    steps:
+      - name: Harden the runner (Audit all outbound calls)
+        uses: step-security/harden-runner@f808768d1510423e83855289c910610ca9b43176 # v2.17.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout the code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          fetch-depth: 0
+          persist-credentials: false
+
+      - name: Run ShellCheck
+        uses: ludeeus/action-shellcheck@00cae500b08a931fb5698e11e79bfbd38e612a38 # v2.0.0
+        with:
+          ignore_paths: "**/vendor/**"
+

attestation-agent/ci/occlum.sh

@@ -1,4 +1,5 @@
-rm -rf occlum_instance && mkdir occlum_instance && cd occlum_instance
+#!/bin/bash
+rm -rf occlum_instance && mkdir occlum_instance && cd occlum_instance || exit
 
 occlum init && rm -rf image
 

attestation-agent/coco_keyprovider/tools/generate_keys.sh

@@ -31,39 +31,38 @@ dump_keys() {
 
 generate_keys() {
 	repo=
-	if [ -z $1 ]; then
+	if [ -z "$1" ]; then
 		repo="default"
 	else
-		repo=$1
+		repo="$1"
 	fi
 
-	create_keys 10 $repo
+	create_keys 10 "$repo"
 	dump_keys
 }
 
 export_key() {
-	local json_file=$1
-	local uri=$2
-	local output_path=$3
+	local json_file="$1"
+	local uri="$2"
+	local output_path="$3"
 
-	cat $json_file | jq ".\"$uri\"" -r | base64 -d > $output_path
+	cat "$json_file" | jq ".\"$uri\"" -r | base64 -d > "$output_path"
 }
 
 main() {
-    local dir=$(cd "$(dirname "$0")";pwd)
-	local operation=$1
+	local operation="$1"
     if [ -z "$operation" ]; then 
         usage
     fi
 
-    if [ "$operation" = "generate" ] ;then
-        generate_keys $2
+	if [ "$operation" = "generate" ] ;then
+        generate_keys "$2"
     elif [ "$operation" = "export" ] ;then
-		if [ -z $4 ] ; then
+		if [ -z "$4" ] ; then
 			echo "[FAILED] Unmatched parameters"
 			usage
 		fi
-        export_key $2 $3 $4
+        export_key "$2" "$3" "$4"
     else
 		echo "[FAILED] Unknown operation $operation"
 		usage

image-rs/scripts/build_confidential_data_hub.sh

@@ -12,12 +12,13 @@ set -o pipefail
 [ -n "${BASH_VERSION:-}" ] && set -o errtrace
 [ -n "${DEBUG:-}" ] && set -o xtrace
 
-source $HOME/.cargo/env
+# shellcheck disable=SC1091
+source "$HOME/.cargo/env"
 
 SCRIPT_DIR=$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)
 CDH_DIR=$SCRIPT_DIR/../../confidential-data-hub
 
-pushd $CDH_DIR
+pushd "$CDH_DIR"
 
 make RESOURCE_PROVIDER=none KMS_PROVIDER=none RPC="${RPC}" LIBC=gnu
 make DESTDIR="${SCRIPT_DIR}/${RPC}" install LIBC=gnu

image-rs/scripts/install_offline_fs_kbc_files.sh

@@ -12,7 +12,7 @@ set -o errtrace
 
 [ -n "${DEBUG:-}" ] && set -o xtrace
 
-script_dir=$(dirname $(readlink -f $0))
+script_dir=$(dirname "$(readlink -f "$0")")
 test_resource_json_name="${2:-aa-offline_fs_kbc-resources.json}"
 resource_json_name="aa-offline_fs_kbc-resources.json"
 keys_json_name="aa-offline_fs_kbc-keys.json"

image-rs/scripts/install_test_signatures.sh

@@ -12,7 +12,7 @@ set -o errtrace
 
 [ -n "${DEBUG:-}" ] && set -o xtrace
 
-script_dir="$(dirname $(readlink -f $0))"
+script_dir="$(dirname "$(readlink -f "$0")")"
 test_artifacts_dir="${script_dir}/../test_data/simple-signing-scheme"
 rootfs_quay_verification_directory="/etc/containers/quay_verification"