release.nix: run shellcheck on build scripts

This will make the binary cache build (which I expect to become more
CI-like over time) fail if shellcheck doesn't pass on any shell
scripts found in the tree.  This will help ensure we are sticking to
POSIX shell features and following shell scripting best practices.

At present, only scripts with names ending in ".sh" are processed, as
we don't have any others, and discovering extensionless scripts would
be quite a bit more complex.  We can worry about that when the time
comes.

Signed-off-by: Alyssa Ross <alyssa.ross@unikie.com>
Message-Id: <20221110112219.459660-2-alyssa.ross@unikie.com>
Reviewed-by: Henri Rosten <henri.rosten@unikie.com>

2 files changed, 26 insertions, 0 deletions

diff --git a/nix/checks.nix b/nix/checks.nix
new file mode 100644
index 0000000..9eb261f
--- /dev/null
+++ b/nix/checks.nix
@@ -0,0 +1,24 @@
+# SPDX-License-Identifier: MIT
+# SPDX-FileCopyrightText: 2022 Unikie
+
+{ config ? import ../nix/eval-config.nix {} }:
+
+{
+  recurseForDerivations = true;
+
+  shellcheck = config.pkgs.callPackage (
+    { lib, runCommand, shellcheck }:
+    runCommand "spectrum-shellcheck" {
+      src = lib.cleanSourceWith {
+        filter = path: type:
+          type == "directory" || builtins.match ''.*[^/]\.sh'' path != null;
+        src = lib.cleanSource ../.;
+      };
+
+      nativeBuildInputs = [ shellcheck ];
+    } ''
+      shellcheck $src/**/*.sh
+      touch $out
+    ''
+  ) {};
+}
diff --git a/release.nix b/release.nix
index 91a843b..3ecf8a7 100644
--- a/release.nix
+++ b/release.nix
@@ -12,5 +12,7 @@
 {
   doc = import ./Documentation { inherit config; };
 
+  checks = import nix/checks.nix { inherit config; };
+
   combined = import img/combined/run-vm.nix { inherit config; };
 }