Support commands specified as space-separated exe/args

[anuraaga]

I have packaged shellcheck into a form that can be executed with go run

https://github.com/wasilibs/go-shellcheck

I'd like to then specify it when running actionlint so that when debugging a CI failure, devs can copy/paste to reproduce the command without any tool installation / version mismatches.

go run github.com/rhysd/actionlint/cmd/[email protected] -shellcheck="go run github.com/wasilibs/go-shellcheck/cmd/shellcheck@343642672fe6b725a201c27a742cbed0f5c5075a"

This patch seems to work well with that pattern

https://github.com/rhysd/actionlint/compare/main...anuraaga:process-args?expand=1

Is it something that could be considered for the project? If so, I'll send a PR.

[rhysd]

Oh, very interesting project. It might be a good idea to integrate go-shellcheck directly into actionlint in the future once the implementation gets mature.

It sounds okay to lex the -shellcheck option value. However I'd like to know why you need to run the tools with go run. Once you build the command with go build, this issue can be avoided.

[rhysd]

This patch seems to work well with that pattern

Please do not implement splitting a shell command line by yourself. That's more complicated than you think. Since the result is passed to arguments of an external process, this can be easily a security hall. This patch is not acceptable.

From the result of quick research, go-shellwords seems the most reliable lexing implementation. go-shellquote is less famous but better fit to our use case.

[anuraaga]

Thanks @rhysd

However I'd like to know why you need to run the tools with go run. Once you build the command with go build, this issue can be avoided.

I execute commands in build scripts with go run specifying a version, such as go run github.com/rhysd/actionlint/cmd/[email protected]. This ensures any developer running the command is running the same version, and after updating, they will be on the correct version when they pull the latest code of the repo. I've found this sort of build reproducibility to be important for teams so I always use it, go build or go install will leave a binary in the user's environment with less reproducibility.

From the result of quick research, go-shellwords seems the most reliable lexing implementation. go-shellquote is less famous but better fit to our use case.

Thanks for the note, I realized go-shellwords is used by one of my favorite libraries, goyek, and updated a little more recently than shellquote. Would it be acceptable then to make a patch using the library to make the parsing more robust?

[rhysd]

Sounds reasonable to use go run for build reproducibility.

Would it be acceptable then to make a patch using the library to make the parsing more robust?

Yes. go-shellwords looks a good choice. Please prefer shellwords.Parse to shellwords.ParseWithEnvs because we don't need to support environment variables in the command line.