update tuf-repo-init.sh: Remove ununused signing_config.v0.2.json files

[fghanmi]

Summary by Sourcery

Enhancements:

• Remove stale signing_config.v0.2.json files in the targets directory, retaining only the most recent one.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

This PR extends the tuf-repo-init.sh script by adding a new cleanup step that locates and deletes all but the most recent signing_config.v0.2.json files in the targets directory.

Flow diagram for the new cleanup step in tuf-repo-init.sh

flowchart TD
    A["Start cleanup step"] --> B["Find all *.signing_config.v0.2.json files in ${OUTDIR}/targets"]
    B --> C["Sort files by modification time (descending)"]
    C --> D["Keep the most recent file"]
    D --> E["Delete all other *.signing_config.v0.2.json files"]
    E --> F["Continue with script"]

Loading

File-Level Changes

Change	Details	Files
Add cleanup step to remove unused signing_config.v0.2.json files	Use find with -name to locate all signing_config.v0.2.json files under OUTDIR/targets Pipe results through xargs and ls -t, then tail -n +2 to skip the newest file Load the list into an array via mapfile and loop to rm each file	rhtas/tuf-repo-init.sh

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[qodo-code-review]

PR Compliance Guide 🔍

(Compliance updated until commit cf852c6)

Below is a summary of compliance checks for this PR:

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
🟢	No codebase code duplication found No new components were introduced in the PR code
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Deletion unlogged: The new code deletes files in ${OUTDIR}/targets without emitting audit log entries that include user, timestamp, action description, and outcome. Referred Code for file in "${files_to_delete[@]}"; do rm -- "$file" done # Remove unused signing_config.v0.2.json files from ${OUTDIR}/targets mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done
	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unchecked deletes: The script removes files using rm without checking exit codes or handling cases where find/xargs/ls fail or no files are found. Referred Code for file in "${files_to_delete[@]}"; do rm -- "$file" done # Remove unused signing_config.v0.2.json files from ${OUTDIR}/targets mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Path handling: Deletion operations rely on ${OUTDIR} without visible validation/sanitization in this diff, which may risk unintended file removal if the path is malformed. Referred Code # Remove unused trusted_root.json files from ${OUTDIR}/targets mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.trusted_root.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done # Remove unused signing_config.v0.2.json files from ${OUTDIR}/targets mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done

Compliance status legend

🟢 - Fully Compliant
🟡 - Partial Compliant
🔴 - Not Compliant
⚪ - Requires Further Human Verification
🏷️ - Compliance label

---

Previous compliance checks

Compliance check up to commit c95a0b4

Security Compliance
🟢	No security concerns identified No security vulnerabilities detected by AI analysis. Human verification advised for critical code.
Ticket Compliance
⚪	🎫 No ticket provided Create ticket/issue
Codebase Duplication Compliance
🟢	No codebase code duplication found No new components were introduced in the PR code
Custom Compliance
🟢	Generic: Meaningful Naming and Self-Documenting Code Objective: Ensure all identifiers clearly express their purpose and intent, making code self-documenting Status: Passed
	Generic: Secure Logging Practices Objective: To ensure logs are useful for debugging and auditing without exposing sensitive information like PII, PHI, or cardholder data. Status: Passed
🔴	Generic: Robust Error Handling and Edge Case Management Objective: Ensure comprehensive error handling that provides meaningful context and graceful degradation Status: Unchecked command errors: The use of find/xargs/ls/tail and rm lacks error checks and handling for empty results, failures, or permission issues, risking silent failures. Referred Code mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done
⚪	Generic: Comprehensive Audit Trails Objective: To create a detailed and reliable record of critical system actions for security analysis and compliance. Status: Missing deletion logs: The script deletes files without logging which files were removed or by whom, reducing the audit trail for critical delete actions. Referred Code for file in "${files_to_delete[@]}"; do rm -- "$file" done
	Generic: Secure Error Handling Objective: To prevent the leakage of sensitive system information through error messages while providing sufficient detail for internal debugging. Status: Potential stderr exposure: External command errors (e.g., ls/find/xargs/rm) may print detailed filesystem paths/errors to stderr without controlled handling, which could expose internal details depending on caller context. Referred Code mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done
	Generic: Security-First Input Validation and Data Handling Objective: Ensure all data inputs are validated, sanitized, and handled securely to prevent vulnerabilities Status: Unsafe pipeline assumptions: The pipeline using find|xargs|ls|tail to select files for deletion lacks validation of inputs and might mis-handle filenames with newlines or unexpected matches without safeguards beyond -print0, warranting review. Referred Code mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) for file in "${files_to_delete[@]}"; do rm -- "$file" done

[sourcery-ai]

Hey there - I've reviewed your changes and they look great!

Prompt for AI Agents

Please address the comments from this code review:

## Individual Comments

### Comment 1
<location> `rhtas/tuf-repo-init.sh:316` </location>
<code_context>
     rm -- "$file"
 done

+# Remove ununused signing_config.v0.2.json files from ${OUTDIR}/targets
+mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2)
+for file in "${files_to_delete[@]}"; do
</code_context>

<issue_to_address>
**nitpick (typo):** Typo in comment: 'ununused' should be 'unused'.

Please update the comment to fix the typo.

```suggestion
# Remove unused signing_config.v0.2.json files from ${OUTDIR}/targets
```
</issue_to_address>

### Comment 2
<location> `rhtas/tuf-repo-init.sh:317` </location>
<code_context>
 done

+# Remove ununused signing_config.v0.2.json files from ${OUTDIR}/targets
+mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2)
+for file in "${files_to_delete[@]}"; do
+    rm -- "$file"
</code_context>

<issue_to_address>
**issue (bug_risk):** Potential issue with file deletion logic if filenames contain newlines or special characters.

Piping filenames to 'ls -t' and 'tail' can cause issues with newlines or special characters. Consider using 'find' with 'sort' and '-print0', or handle the list in bash to avoid parsing errors.
</issue_to_address>

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[sourcery-ai]

issue (bug_risk): Potential issue with file deletion logic if filenames contain newlines or special characters.

Piping filenames to 'ls -t' and 'tail' can cause issues with newlines or special characters. Consider using 'find' with 'sort' and '-print0', or handle the list in bash to avoid parsing errors.

[qodo-code-review]

PR Code Suggestions ✨

Explore these optional code suggestions:

Category	Suggestion	Impact
Possible issue	Correctly remove only outdated config files Modify the file deletion logic to group files by their unique prefix before removing older versions. This fixes a bug where the script would incorrectly delete the latest config files for all but one prefix. rhtas/tuf-repo-init.sh [316-320] -# Remove ununused signing_config.v0.2.json files from ${OUTDIR}/targets -mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) -for file in "${files_to_delete[@]}"; do - rm -- "$file" +# Remove unused signing_config.v0.2.json files from ${OUTDIR}/targets, keeping the newest for each prefix +find "${OUTDIR}/targets/" -type f -name "*.signing_config.v0.2.json" -printf "%f\n" | \ + sed 's/\.signing_config\.v0\.2\.json$//' | sort -u | while read -r prefix; do + mapfile -t files_to_delete < <(find "${OUTDIR}/targets/" -type f -name "${prefix}.signing_config.v0.2.json" -print0 | xargs -0 ls -t | tail -n +2) + if [ ${#files_to_delete[@]} -gt 0 ]; then + rm -- "${files_to_delete[@]}" + fi done Apply / Chat Suggestion importance[1-10]: 9 __ Why: The suggestion correctly identifies a critical logic bug in the PR that would cause incorrect file deletion, and provides a robust, correct implementation to fix it.	High
Update