Estate-wide bash automation. Every script is built on
lib/common.sh, which provides safe-by-default strict mode, structured
logging, dry-run support, bounded parallelism, single-instance locking,
signal-safe cleanup, GH CLI rate-limit + retry, snapshot-based rollback,
and repo-iteration helpers.
The directory tree is grouped by purpose via symlinks. The actual
scripts continue to live at scripts/ root (the Elixir TUI hardcodes
those paths).
| Group | Purpose |
|---|---|
|
Shared library ( |
|
Read-only inspection: contractiles, wiki, About metadata, sync, secrets+deps. |
|
Mutating remediations: unwrap, innerHTML, branch protection, composite |
|
Estate-wide sync: update-repos, README standardisation, mirror-policy verification. |
|
Diagnostics: |
Every script that uses lib/common.sh understands:
| Flag | Effect |
|---|---|
|
Read-only; destructive ops are logged, not executed. |
|
Skip confirmation prompts (CI mode). |
|
Bounded parallelism (default 4). |
|
Debug-level logging. |
|
Warnings/errors only. |
|
Per-script help text. |
| Var | Default |
|---|---|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
|
(optional) one-repo-per-line filter list |
|
non-empty disables ANSI colours |
| Script | Reports |
|---|---|
|
6 canonical verbs ( |
|
Wiki enabled/disabled + page count + page list. |
|
GitHub repo About: description, homepage, mandatory topics. |
|
Local HEAD vs origin/<branch> table. Read-only (no fetch). |
|
gitleaks scan + open-Dependabot-alert count. |
| Script | Effect |
|---|---|
|
Reports bare |
|
Annotates / rewrites XSS-prone DOM writes. Snapshot+rollback per file. |
|
Applies the canonical 'Base' ruleset to every non-archived repo. Updates pre-existing rulesets in place. |
|
Runs every fixer in sequence against one repo. Replaces legacy |
| Script | Effect |
|---|---|
|
Fetch + safe-rebase + force-with-lease push across the configured set. ff-only safety; per-repo failure capture. |
|
README.md → README.adoc via pandoc; snapshots saved. |
|
Verifies the GitHub-only-push policy. Flags non-github origins, multi-forge drift, suspicious |
| Script | Effect |
|---|---|
|
Validates gh installed, authenticated, scoped ( |
|
Runs every read-only audit and aggregates into a single Markdown report. |
-
ci-integration-example.sh→ moved todocs/ci-integration-example.adoc(it was prose, not a script). -
md_to_adoc_converter.sh→ deprecation stub forwarding tostandardize_readmes.sh(original sed regexes were broken). -
fix-security-issues.sh→ deprecation stub forwarding tofix/all.sh. -
USE-GH-CLI.sh→ deprecation stub forwarding tohealth/gh-doctor.sh.
The deprecation stubs still resolve, so the Elixir TUI’s hardcoded names keep working — they just print a notice and exec the replacement.
#!/usr/bin/env bash
# SPDX-License-Identifier: MPL-2.0
set -uo pipefail
SCRIPT_DIR="$(cd -- "$(dirname -- "${BASH_SOURCE[0]}")" && pwd)"
. "${SCRIPT_DIR}/lib/common.sh" # or ../lib/common.sh from a subgroup
GS_SCRIPT_NAME="my-thing"
GS_HELP_TEXT="Usage: my-thing.sh [--dry-run] [--help]"
gs::strict
gs::install_trap
gs::install_trap_summary
gs::lock my-thing # single-instance protection
gs::need gh jq # fail fast on missing tools
gs::gh_check # auth + rate-limit headroom
while (( $# > 0 )); do
case "$1" in
-n|--dry-run) GS_DRY_RUN=1 ;;
-h|--help) printf '%s\n' "${GS_HELP_TEXT}"; exit 0 ;;
*) gs::die "unknown flag: $1" ;;
esac
shift
done
while IFS= read -r repo; do
gs::info "scanning $(basename "${repo}")..."
gs::do touch "${repo}/.scanned" # honours --dry-run
done < <(gs::repos)