chore: CI + scripts cleanup (review items #12 #13 #24 #31 #32 #37)

Six small review-list items rolled together — all CI/dev-tooling, no runtime behaviour change. #12 Dockerfile: pin Rust 1.95.0 and cargo-ndk 4.1.2 (was floating `stable` + latest cargo-ndk on monthly rebuild). Versions live in ENV vars to make the next bump a one-line edit. #13 Add shellcheck to lint job. SC2034/SC3043 excluded — Magisk reads SKIPUNZIP externally; Android's /system/bin/sh (mksh on Pixel) does support `local` despite POSIX. Verified locally that the 11 .sh files (module-side + dev tooling) pass. shellcheck baked into the CI image via apt; inline apt-get fallback covers the window before image rebuild. #24 ci.yml keystore.properties: replace heredoc with `printf '%s\n'`. Heredoc without single-quoted EOF re-expands $, backticks and backslashes in the password — printf takes the value verbatim. #31 scripts/release.py::patch_file now hard-fails when a regex pattern doesn't match (was silently leaving stale versions). #32 Split rotate_fragments_into_history into rotate + delete steps so release.py can save_json + write_md *before* unlinking the fragment files. If anything in between fails, fragments are still on disk and the run is retryable. #37 codegen-interfaces.py: emit `assert!(matches_vpn(…), msg)` / `assert!(!matches_vpn(…), msg)` instead of `assert_eq!(matches_vpn(…), true/false, msg)` — clippy::bool_assert_comparison was firing on every generated row under `cargo clippy --tests`. Both generated test modules regenerated. CI's clippy steps now also pass `--tests` so this class of regression is caught.
2026-04-28 06:31:27 +00:00 · 2026-04-27 01:14:03 +03:00 · 2026-04-27 01:14:03 +03:00 · 0d4cf09866
commit 0d4cf09866
parent e57417b686
7 changed files with 168 additions and 101 deletions
--- a/.github/docker/ci/Dockerfile
+++ b/.github/docker/ci/Dockerfile
@ -20,6 +20,7 @@ RUN apt-get update && \
        bc kmod cpio flex bison libssl-dev libelf-dev \
        binutils-aarch64-linux-gnu \
        clang-format \
+        shellcheck \
        git && \
    rm -rf /var/lib/apt/lists/*

@ -44,15 +45,20 @@ RUN mkdir -p "${ANDROID_HOME}/cmdline-tools" && \
    chmod -R a+rx "${ANDROID_HOME}"

 # ── Rust toolchain (for zygisk) ──────────────────────────────────────
+# Pin both rustc and cargo-ndk versions so monthly image rebuilds don't
+# silently drift. Bump together with local toolchain when needed; CI
+# stays reproducible against an exact version.
 ENV RUSTUP_HOME=/usr/local/rustup \
    CARGO_HOME=/usr/local/cargo \
-    PATH=/usr/local/cargo/bin:$PATH
+    PATH=/usr/local/cargo/bin:$PATH \
+    RUST_VERSION=1.95.0 \
+    CARGO_NDK_VERSION=4.1.2

 RUN curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | \
-        sh -s -- -y --default-toolchain stable --profile minimal --no-modify-path && \
+        sh -s -- -y --default-toolchain "${RUST_VERSION}" --profile minimal --no-modify-path && \
    rustup target add aarch64-linux-android && \
    rustup component add rustfmt clippy && \
-    cargo install cargo-ndk --locked && \
+    cargo install cargo-ndk --version "${CARGO_NDK_VERSION}" --locked && \
    chmod -R a+w /usr/local/rustup /usr/local/cargo

 # ── Android NDK (for zygisk) ─────────────────────────────────────────
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@ -86,15 +86,44 @@ jobs:
        run: |
          cd zygisk && cargo fmt --check
          cd ../lsposed/native && cargo fmt --check
+      # `--tests` so generated test modules are also linted
+      # (catches `bool_assert_comparison`-style regressions in
+      # codegen output).
      - name: clippy (zygisk)
-        run: cd zygisk && cargo ndk -t arm64-v8a clippy -- -D warnings
+        run: cd zygisk && cargo ndk -t arm64-v8a clippy --tests -- -D warnings
      - name: clippy (lsposed native)
-        run: cd lsposed/native && cargo ndk -t arm64-v8a clippy -- -D warnings
+        run: cd lsposed/native && cargo ndk -t arm64-v8a clippy --tests -- -D warnings
      - name: cargo test (zygisk)
        run: cd zygisk && cargo test
      - name: cargo test (lsposed native)
        run: cd lsposed/native && cargo test

+      # Shell — module-side scripts (Magisk/KSU) and host-side dev tooling.
+      # shellcheck is preinstalled in the CI image (apt). The list is
+      # explicit so we don't accidentally pick up vendored .sh from
+      # zygisk/third_party.
+      - name: shellcheck
+        # SC2034: `SKIPUNZIP` and the `for i in seq …` counters look unused
+        #         to shellcheck — Magisk reads SKIPUNZIP externally, the
+        #         counters are loop iterators we don't read by name.
+        # SC3043: `local` is "not POSIX" but Android's /system/bin/sh
+        #         (mksh on Pixel) supports it, and our module-side
+        #         scripts always run there.
+        # The inline `apt-get install` is a one-job fallback for the
+        # window between this PR landing and the next ci-image rebuild
+        # (the Dockerfile bake also adds shellcheck). After the rebuild
+        # this no-ops in <1s.
+        run: |
+          if ! command -v shellcheck >/dev/null; then
+            apt-get update -qq && apt-get install -y --no-install-recommends shellcheck >/dev/null
+          fi
+          shellcheck -x -e SC2034,SC3043 \
+            kmod/module/customize.sh kmod/module/post-fs-data.sh kmod/module/service.sh \
+            zygisk/module/customize.sh zygisk/module/service.sh \
+            portshide/module/customize.sh portshide/module/service.sh \
+            portshide/module/uninstall.sh portshide/module/vpnhide_ports_apply.sh \
+            scripts/clean-device.sh scripts/update-json.sh
+
      # C (kernel module)
      - name: clang-format
        run: clang-format --dry-run --Werror kmod/vpnhide_kmod.c
@ -250,11 +279,14 @@ jobs:
              -keyalg RSA -keysize 4096 -validity 365 \
              -dname "CN=vpnhide-fork-ci, O=vpnhide, C=US"
          fi
-          cat > "$GITHUB_WORKSPACE/lsposed/keystore.properties" <<EOF
-          password=$KEYSTORE_PASSWORD
-          keyAlias=$KEY_ALIAS
-          storeFile=$KEYSTORE_PATH
-          EOF
+          # Build via printf — `%s` swallows the value verbatim with no
+          # shell expansion of $, backticks, backslashes, or `!`. Heredoc
+          # without single-quoted EOF would re-expand each line.
+          {
+            printf 'password=%s\n' "$KEYSTORE_PASSWORD"
+            printf 'keyAlias=%s\n' "$KEY_ALIAS"
+            printf 'storeFile=%s\n' "$KEYSTORE_PATH"
+          } > "$GITHUB_WORKSPACE/lsposed/keystore.properties"

      # Release tags get the full assembleRelease (R8/ProGuard, signed APK
      # ready for the GitHub release). PRs and main pushes get assembleDebug