Skip to content

t1404: Harden ShellCheck fallback path — process group kill + missing warning#2923

Merged
marcusquinn merged 1 commit intomainfrom
bugfix/t1404-shellcheck-fallback-timeout
Mar 5, 2026
Merged

t1404: Harden ShellCheck fallback path — process group kill + missing warning#2923
marcusquinn merged 1 commit intomainfrom
bugfix/t1404-shellcheck-fallback-timeout

Conversation

@marcusquinn
Copy link
Owner

@marcusquinn marcusquinn commented Mar 5, 2026

Summary

  • Adds one-time warning when no timeout/gtimeout utility is found, so users know they're running with degraded ShellCheck protection
  • Uses process group kill (kill -- -$PID) in the portable timeout watcher to clean up ShellCheck and all its child processes, falling back to single-process kill if the subshell isn't a process group leader
  • Simplifies per-file timeout warning (redundant detail already covered by the one-time warning)

Context

CodeRabbit flagged in PR #2855 review that the fallback path (when no timeout/gtimeout exists) still risked runaway ShellCheck processes. PR #2855 already dropped -x and added a portable sleep-based watcher, but:

  1. No warning was emitted when entering the degraded path
  2. kill "$sc_bg_pid" only killed the subshell, not ShellCheck's child processes — orphaned children could continue consuming resources

Verification

  • bash -n syntax check: PASS
  • shellcheck --severity=warning: PASS (zero violations)
  • Changes are minimal and focused on the fallback else branch only

Closes #2900

@marcusquinn
fix: harden ShellCheck fallback path — process group kill + missing w…
456eac1 
…arning

When no timeout/gtimeout utility is available, the portable fallback
wrapper now:

1. Prints a one-time warning that degraded protection is active
2. Uses process group kill (kill -- -PID) to clean up ShellCheck and
   all its child processes, falling back to single-process kill if the
   subshell isn't a process group leader
3. Simplifies the per-file timeout warning (redundant 'no timeout
   utility' detail already covered by the one-time warning)

Addresses CodeRabbit review feedback from PR #2855 about the fallback
path reopening the runaway ShellCheck risk.

Closes #2900
@github-actions
Copy link

github-actions bot commented Mar 5, 2026

🔍 Code Quality Report

�[0;35m[MONITOR]�[0m Code Review Monitoring Report

�[0;34m[INFO]�[0m Latest Quality Status:
SonarCloud: 0 bugs, 0 vulnerabilities, 108 code smells

�[0;34m[INFO]�[0m Recent monitoring activity:
Thu Mar 5 15:02:01 UTC 2026: Code review monitoring started
Thu Mar 5 15:02:01 UTC 2026: SonarCloud - Bugs: 0, Vulnerabilities: 0, Code Smells: 108

📈 Current Quality Metrics

  • BUGS: 0
  • CODE SMELLS: 108
  • VULNERABILITIES: 0

Generated on: Thu Mar 5 15:02:03 UTC 2026

Generated by AI DevOps Framework Code Review Monitoring

@sonarqubecloud
Copy link

sonarqubecloud bot commented Mar 5, 2026

Quality Gate Passed Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud

@gemini-code-assist
Copy link

gemini-code-assist bot commented Mar 5, 2026

Summary of Changes

Hello, I'm Gemini Code Assist1! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly hardens the ShellCheck fallback mechanism, which activates when standard timeout utilities are unavailable. The changes improve the robustness of process termination by ensuring all child processes are cleaned up and provide clearer communication to the user about the operational state, leading to a more reliable and transparent linting process.

Highlights

  • Improved User Feedback: A one-time warning is now displayed when the timeout or gtimeout utility is not found, informing users that ShellCheck is running with a less reliable portable fallback.
  • Enhanced Process Cleanup: The portable timeout watcher now uses process group killing (kill -- -$PID) to ensure that ShellCheck and all its child processes are terminated, falling back to single-process kill if necessary.
  • Simplified Warnings: The per-file timeout warning message has been simplified, removing redundant details now covered by the one-time warning for missing timeout utilities.
Changelog
  • .agents/scripts/linters-local.sh
    • Added a conditional warning message if timeout or gtimeout utilities are not found.
    • Modified the kill command in the portable timeout watcher to target process groups for comprehensive cleanup of ShellCheck and its child processes.
    • Updated the timeout warning message for individual files to be more concise.
Activity
Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature Command Description
Code Review /gemini review Performs a code review for the current pull request in its current state.
Pull Request Summary /gemini summary Provides a summary of the current pull request in its current state.
Comment @gemini-code-assist Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help /gemini help Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

  1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution.

@alex-solovyev alex-solovyev mentioned this pull request Mar 5, 2026
Open
@marcusquinn marcusquinn mentioned this pull request Mar 5, 2026
Open
gemini-code-assist[bot]
gemini-code-assist bot reviewed Mar 5, 2026
View reviewed changes
Copy link

@gemini-code-assist gemini-code-assist bot left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review

This pull request improves the fallback mechanism for running ShellCheck when a timeout utility isn't available. It introduces a one-time warning to inform the user about the degraded process cleanup and enhances the timeout watcher to kill the entire process group, which is a solid improvement. My review includes one suggestion to further harden the new timeout logic by avoiding error suppression, which aligns with the project's established scripting guidelines and improves debuggability.

.agents/scripts/linters-local.sh
# Watcher: kill the process group (- prefix) to catch child processes,
# falling back to single-process kill if group kill fails (e.g., not a
# process group leader on some shells).
(sleep "$sc_timeout" && kill -- -"$sc_bg_pid" 2>/dev/null || kill "$sc_bg_pid" 2>/dev/null) &
Copy link

@gemini-code-assist gemini-code-assist bot Mar 5, 2026

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

medium

While this change correctly attempts to kill the process group with a fallback, suppressing stderr for both kill commands with 2>/dev/null can hide important errors, such as "Operation not permitted". This goes against the project's general rules which advise against blanket error suppression. While removing the suppression may result in "No such process" messages in the log if the process has already completed, it ensures that actual failures in the timeout mechanism are visible for debugging.

Suggested change
(sleep "$sc_timeout" && kill -- -"$sc_bg_pid" 2>/dev/null || kill "$sc_bg_pid" 2>/dev/null) &
(sleep "$sc_timeout" && kill -- -"$sc_bg_pid" || kill "$sc_bg_pid") &
References
  1. Avoid using '2>/dev/null' for blanket suppression of command errors in shell scripts to ensure that authentication, syntax, or system issues remain visible for debugging.

@marcusquinn marcusquinn merged commit f4164cf into main Mar 5, 2026
21 of 23 checks passed
@marcusquinn marcusquinn deleted the bugfix/t1404-shellcheck-fallback-timeout branch March 5, 2026 16:28
This was referenced Mar 5, 2026
Merged
Closed
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@gemini-code-assist gemini-code-assist[bot] gemini-code-assist[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

quality-debt: .agents/scripts/linters-local.sh — PR #2855 review feedback (high)

1 participant

@marcusquinn