fix(api-docs/cpp): silence remaining SC2016 false positives

[WomB0ComB0]

Follow-up to #72. The previous fix only addressed the find glob; vcpkg`s actionlint then surfaced two more SC2016 false positives in the same template (shellcheck reports one per file per run, so each fix unmasks the next).

Findings closed by this PR

sed -i -E 's/ inline//g'

Backticks in the sed pattern are literal characters matching the markdown code-span delimiters around the word inline in moxygen output. shellcheck SC2016 thinks they are command substitution and flags the line.

Switching to double quotes would require "s/ \\\\\\inline\\\//g" — ugly. Annotated with # shellcheck disable=SC2016 and a comment explaining the rationale.

sed 's|^\\./||; s|\\.md$||'

The $ is a regex end-of-line anchor, not parameter expansion. Switched to double-quoted with \\$ escape — clean and equivalent.

Why this only matters for vcpkg

vcpkgs security.ymlcallsresq-software/.github/.github/workflows/security-scan.yml@main(floating). The other 4 source repos pin commitbd95037`, which evidently treats SC2016 as advisory rather than fatal. Once they update their pin they will hit the same problem; the same patterns exist in their templates (see follow-up note below).

Out of scope

The sed "s|\\.md\\$||" end-anchor pattern exists identically in the python, dotnet, typescript, and rust templates (line 510, 472, 457, 597 respectively). Not preemptively fixed in this PR to avoid triggering 4 unnecessary cross-repo sync cycles for repos where actionlint currently passes. When their security-scan pin updates, fix them then.

Test plan

• Visual diff: 7 lines, 1 file
• After merge + sync to vcpkg, the gates / Security / actionlint check should pass

Related

• fix(api-docs/rust): close template-injection on ref + pin cargo-doc-md #70, fix(api-docs/sisters): close template-injection on ref in cpp/dotnet/python/typescript #71, fix(api-docs/cpp): silence actionlint SC2016 on find globs #72 (template hardening)
• vcpkg#11, vcpkg#12 (admin-merged with pre-existing failures, documented)

[coderabbitai]

Warning

Rate limit exceeded

@WomB0ComB0 has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 45 minutes and 19 seconds before requesting another review.

You’ve run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: defaults

Review profile: CHILL

Plan: Pro

Run ID: 914f64de-3d48-4768-af80-bf4c3bc2c98d

📥 Commits

Reviewing files that changed from the base of the PR and between 05abdaa and 1ed7e5a.

📒 Files selected for processing (1)

• automation/source-repo-templates/api-docs.cpp.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch fix/cpp-template-sc2016-residual

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[gemini-code-assist]

Code Review

This pull request updates the API documentation workflow by adding ShellCheck suppression comments and modifying sed syntax to avoid linting warnings. Feedback suggests that using double quotes for sed patterns may be fragile and recommends sticking to single quotes with explicit disable comments to ensure robustness against special characters in filenames. Additionally, the review highlights potential improvements for handling file paths in monorepos and refining the scope of file discovery in CI to prevent failures.

[gemini-code-assist]

While switching to double quotes silences the ShellCheck SC2016 false positive, using | as a delimiter in sed can be fragile if any generated file paths contain that character. Since find . output always contains /, the pipe delimiter is generally safer than a slash, but if the environment allows for arbitrary filenames, it could still fail. A more robust way to handle the extension stripping while keeping ShellCheck happy would be to use single quotes and a disable comment, or use a different tool like basename or shell parameter expansion. Additionally, ensure that the documentation configuration includes the relative path to the package directory in source code links to ensure they resolve correctly in a monorepo, and consider using find with -maxdepth 2 or explicit project lists to limit discovery scope in CI.

References

1. When configuring source code links in documentation generators for monorepos, the base URL must include the relative path to the package directory to ensure 'View source' links resolve correctly to the file locations.
2. Prefer explicit project lists over automated discovery in CI workflows if the repository structure contains duplicate project configurations.
3. In CI workflows, dynamically discover build artifacts (e.g., using 'find' with '-maxdepth 2') instead of hardcoding paths to ensure consistency and prevent failures.