feat(build): enforce strict warnings across all linters

[WilliamBerryiii]

This PR established a warnings-as-errors policy across all CI linters and fixed a critical bug where Pester test failures were silently masked in CI. ShellCheck was added as a new linter with full CI integration, YamlLint was promoted to strict mode, and all remaining soft-fail linter jobs were switched to hard-fail.

Closes #6

Description

Critical Bug Fix

The Pester test workflow contained a $global:LASTEXITCODE = 0 reset that silently swallowed all test failures, allowing broken builds to pass CI. This was removed and replaced with explicit exit 1 calls when Pester reports failures or throws exceptions. Two test files also had stale dot-source paths referencing the scripts/lib/ symlink target instead of the canonical shared/lib/ location — these were corrected.

ShellCheck Integration

A complete ShellCheck linting pipeline was added to the repository:

• Added .shellcheckrc at the repository root with shell=bash, severity=warning, and external-sources=true
• Added a reusable GitHub Actions workflow (shellcheck.yml) that installs ShellCheck, runs the wrapper, and uploads results as a CI artifact
• Added Invoke-ShellCheck.ps1 (218 lines), a PowerShell wrapper that discovers .sh files, runs ShellCheck with JSON output, classifies findings, writes structured results to logs/, and emits CI annotations — treating warnings as failures
• Added Invoke-ShellCheck.Tests.ps1 (334 lines) with 10 Pester test contexts covering tool availability, changed-files-only mode, error/warning classification, JSON export structure, and directory exclusion
• Integrated ShellCheck into both main.yml and pr-validation.yml workflows with soft-fail: false

YamlLint Strict Mode

Invoke-YamlLint.ps1 was updated to treat warnings as failures by broadening the failure condition to include $warningCount -gt 0. The corresponding Pester tests in Invoke-YamlLint.Tests.ps1 were updated to reflect strict mode expectations.

Soft-Fail Policy

Linting jobs enforce strict failures (soft-fail: false):

Job	main.yml	pr-validation.yml
Terraform Validation	soft-fail: false	soft-fail: false
Go Lint	soft-fail: false	soft-fail: false
ShellCheck	soft-fail: false	soft-fail: false

Test and documentation jobs remain advisory (soft-fail: true) to avoid blocking PRs on infrastructure test flakiness or non-critical doc checks:

Job	main.yml	pr-validation.yml
Terraform Tests	soft-fail: true	soft-fail: true
Go Tests	soft-fail: true	soft-fail: true
Terraform Docs Check	soft-fail: true	soft-fail: true

Documentation and Tooling

• CONTRIBUTING.md gained a Warning Policy table documenting enforcement levels for all CI linters
• package.json added lint:sh and lint:py scripts and updated lint:all to include them

Type of Change

• 🐛 Bug fix (non-breaking change fixing an issue)
• ✨ New feature (non-breaking change adding functionality)
• 💥 Breaking change (fix or feature causing existing functionality to change)
• 📚 Documentation update
• 🏗️ Infrastructure change (Terraform/IaC)
• ♻️ Refactoring (no functional changes)

Component(s) Affected

• infrastructure/terraform/prerequisites/ - Azure subscription setup
• infrastructure/terraform/ - Terraform infrastructure
• infrastructure/setup/ - OSMO control plane / Helm
• workflows/ - Training and evaluation workflows
• training/ - Training pipelines and scripts
• docs/ - Documentation

Testing Performed

• 1021 Pester tests passed, 0 failed, 17 not run (Integration/Slow tags)
• ShellCheck wrapper validated with 10 new test contexts (28 assertions)
• YamlLint strict mode validated with updated test expectations (40 assertions)

Documentation Impact

• No documentation changes needed
• Documentation updated in this PR
• Documentation issue filed

Bug Fix Checklist

• Linked to issue being fixed
• Regression test included

Checklist

• My code follows the project conventions
• Commit messages follow conventional commit format
• I have performed a self-review
• Documentation impact assessed above
• No new linting warnings introduced

[github-actions]

Dependency Review

✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.

Snapshot Warnings

⚠️: No snapshots were found for the head SHA cc5ef42.

Ensure that dependencies are being submitted on PR branches and consider enabling retry-on-snapshot-warnings. See the documentation for more information and troubleshooting advice.

OpenSSF Scorecard

Package	Version	Score	Details
actions/actions/checkout	de0fac2e4500dabe0009e67214ff5f5447ce83dd	🟢 6	Details Check Score Reason Maintained ⚠️ 2 3 commit(s) and 0 issue activity found in the last 90 days -- score normalized to 2 Code-Review 🟢 10 all changesets reviewed Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Packaging ⚠️ -1 packaging workflow not detected Signed-Releases ⚠️ -1 no releases found Pinned-Dependencies 🟢 3 dependency not pinned by hash detected -- score normalized to 3 Security-Policy 🟢 9 security policy file detected Branch-Protection 🟢 6 branch protection is not maximal on development and all release branches SAST 🟢 8 SAST tool detected but not run on all commits
actions/actions/upload-artifact	bbbca2ddaa5d8feaa63e36b76fdaad77386f024f	🟢 5.7	Details Check Score Reason Code-Review 🟢 10 all changesets reviewed Maintained 🟢 5 4 commit(s) and 2 issue activity found in the last 90 days -- score normalized to 5 Dangerous-Workflow 🟢 10 no dangerous workflow patterns detected Binary-Artifacts 🟢 10 no binaries found in the repo Packaging ⚠️ -1 packaging workflow not detected CII-Best-Practices ⚠️ 0 no effort to earn an OpenSSF best practices badge detected Token-Permissions ⚠️ 0 detected GitHub workflow tokens with excessive permissions Pinned-Dependencies ⚠️ 1 dependency not pinned by hash detected -- score normalized to 1 Fuzzing ⚠️ 0 project is not fuzzed License 🟢 10 license file detected Signed-Releases ⚠️ -1 no releases found Security-Policy 🟢 9 security policy file detected Branch-Protection ⚠️ 0 branch protection not enabled on development/release branches SAST 🟢 10 SAST tool is run on all commits

Scanned Files

• .github/workflows/shellcheck.yml

[codecov-commenter]

Codecov Report

❌ Patch coverage is 93.96552% with 7 lines in your changes missing coverage. Please review.
✅ Project coverage is 64.40%. Comparing base (2ff839a) to head (cc5ef42).

Files with missing lines	Patch %	Lines
scripts/linting/Invoke-ShellCheck.ps1	93.80%	7 Missing ⚠️

Additional details and impacted files

@@            Coverage Diff             @@
##             main     #392      +/-   ##
==========================================
+ Coverage   64.04%   64.40%   +0.35%     
==========================================
  Files         250      251       +1     
  Lines       15319    15433     +114     
  Branches     2108     2060      -48     
==========================================
+ Hits         9811     9939     +128     
+ Misses       5220     5206      -14     
  Partials      288      288              

Flag	Coverage Δ
pester	82.20% <93.96%> (+0.98%)	⬆️
pytest	92.40% <ø> (ø)
pytest-dataviewer	63.87% <ø> (ø)
pytest-fuzz	1.59% <ø> (ø)
vitest	50.80% <ø> (ø)

Files with missing lines	Coverage Δ
scripts/linting/Invoke-YamlLint.ps1	93.02% <100.00%> (ø)
scripts/linting/Markdown-Link-Check.ps1	62.50% <100.00%> (+14.94%)	⬆️
scripts/linting/Invoke-ShellCheck.ps1	93.80% <93.80%> (ø)

🚀 New features to boost your workflow:

• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[rezatnoMsirhC]

I'm now realizing this PR is for linters and not tests, so leaving soft-fail: true on terraform-tests and go-tests was probably intentional. Do we have another issue for enforcing strict warnings/errors on those later on?