From ea035ae16599861b3cd05c9f86c694ddf527d279 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:07:41 -0700
Subject: [PATCH 01/11] shellcheck fix: tests/tests/functional/dump-db.sh

---
 maintainers/flake-module.nix | 1 -
 1 file changed, 1 deletion(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 50574c129..b2acc36d9 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/dump-db\.sh$''
               ''^tests/functional/fetchGitSubmodules\.sh$''
               ''^tests/functional/fetchGitVerification\.sh$''
               ''^tests/functional/fetchMercurial\.sh$''

From 53ad2433b4263bd844c43d67fc3681983acc6fd6 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:09:36 -0700
Subject: [PATCH 02/11] shellcheck fix: tests/functional/fetchGitSubmodules.sh

---
 maintainers/flake-module.nix           |   1 -
 tests/functional/fetchGitSubmodules.sh | 153 +++++++++++++------------
 2 files changed, 77 insertions(+), 77 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index b2acc36d9..ba38633bc 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/fetchGitSubmodules\.sh$''
               ''^tests/functional/fetchGitVerification\.sh$''
               ''^tests/functional/fetchMercurial\.sh$''
               ''^tests/functional/fixed\.builder1\.sh$''
diff --git a/tests/functional/fetchGitSubmodules.sh b/tests/functional/fetchGitSubmodules.sh
index cd3b51674..2a25245be 100755
--- a/tests/functional/fetchGitSubmodules.sh
+++ b/tests/functional/fetchGitSubmodules.sh
@@ -11,7 +11,7 @@ clearStoreIfPossible
 rootRepo=$TEST_ROOT/gitSubmodulesRoot
 subRepo=$TEST_ROOT/gitSubmodulesSub
 
-rm -rf ${rootRepo} ${subRepo} $TEST_HOME/.cache/nix
+rm -rf "${rootRepo}" "${subRepo}" "$TEST_HOME"/.cache/nix
 
 # Submodules can't be fetched locally by default, which can cause
 # information leakage vulnerabilities, but for these tests our
@@ -23,35 +23,35 @@ export XDG_CONFIG_HOME=$TEST_HOME/.config
 git config --global protocol.file.allow always
 
 initGitRepo() {
-    git init $1
-    git -C $1 config user.email "foobar@example.com"
-    git -C $1 config user.name "Foobar"
+    git init "$1"
+    git -C "$1" config user.email "foobar@example.com"
+    git -C "$1" config user.name "Foobar"
 }
 
 addGitContent() {
-    echo "lorem ipsum" > $1/content
-    git -C $1 add content
-    git -C $1 commit -m "Initial commit"
+    echo "lorem ipsum" > "$1"/content
+    git -C "$1" add content
+    git -C "$1" commit -m "Initial commit"
 }
 
-initGitRepo $subRepo
-addGitContent $subRepo
+initGitRepo "$subRepo"
+addGitContent "$subRepo"
 
-initGitRepo $rootRepo
+initGitRepo "$rootRepo"
 
-git -C $rootRepo submodule init
-git -C $rootRepo submodule add $subRepo sub
-git -C $rootRepo add sub
-git -C $rootRepo commit -m "Add submodule"
+git -C "$rootRepo" submodule init
+git -C "$rootRepo" submodule add "$subRepo" sub
+git -C "$rootRepo" add sub
+git -C "$rootRepo" commit -m "Add submodule"
 
-rev=$(git -C $rootRepo rev-parse HEAD)
+rev=$(git -C "$rootRepo" rev-parse HEAD)
 
 r1=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; rev = \"$rev\"; }).outPath")
 r2=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; rev = \"$rev\"; submodules = false; }).outPath")
 r3=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; rev = \"$rev\"; submodules = true; }).outPath")
 
-[[ $r1 == $r2 ]]
-[[ $r2 != $r3 ]]
+[[ $r1 == "$r2" ]]
+[[ $r2 != "$r3" ]]
 
 r4=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; ref = \"master\"; rev = \"$rev\"; }).outPath")
 r5=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; ref = \"master\"; rev = \"$rev\"; submodules = false; }).outPath")
@@ -59,11 +59,11 @@ r6=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; ref = \
 r7=$(nix eval --raw --expr "(builtins.fetchGit { url = $rootRepo; ref = \"master\"; rev = \"$rev\"; submodules = true; }).outPath")
 r8=$(nix eval --raw --expr "(builtins.fetchGit { url = $rootRepo; rev = \"$rev\"; submodules = true; }).outPath")
 
-[[ $r1 == $r4 ]]
-[[ $r4 == $r5 ]]
-[[ $r3 == $r6 ]]
-[[ $r6 == $r7 ]]
-[[ $r7 == $r8 ]]
+[[ $r1 == "$r4" ]]
+[[ $r4 == "$r5" ]]
+[[ $r3 == "$r6" ]]
+[[ $r6 == "$r7" ]]
+[[ $r7 == "$r8" ]]
 
 have_submodules=$(nix eval --expr "(builtins.fetchGit { url = $rootRepo; rev = \"$rev\"; }).submodules")
 [[ $have_submodules == false ]]
@@ -80,13 +80,13 @@ pathWithSubmodulesAgain=$(nix eval --raw --expr "(builtins.fetchGit { url = file
 pathWithSubmodulesAgainWithRef=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; ref = \"master\"; rev = \"$rev\"; submodules = true; }).outPath")
 
 # The resulting store path cannot be the same.
-[[ $pathWithoutSubmodules != $pathWithSubmodules ]]
+[[ $pathWithoutSubmodules != "$pathWithSubmodules" ]]
 
 # Checking out the same repo with submodules returns in the same store path.
-[[ $pathWithSubmodules == $pathWithSubmodulesAgain ]]
+[[ $pathWithSubmodules == "$pathWithSubmodulesAgain" ]]
 
 # Checking out the same repo with submodules returns in the same store path.
-[[ $pathWithSubmodulesAgain == $pathWithSubmodulesAgainWithRef ]]
+[[ $pathWithSubmodulesAgain == "$pathWithSubmodulesAgainWithRef" ]]
 
 # The submodules flag is actually honored.
 [[ ! -e $pathWithoutSubmodules/sub/content ]]
@@ -98,14 +98,14 @@ pathWithSubmodulesAgainWithRef=$(nix eval --raw --expr "(builtins.fetchGit { url
 test "$(find "$pathWithSubmodules" -name .git)" = ""
 
 # Git repos without submodules can be fetched with submodules = true.
-subRev=$(git -C $subRepo rev-parse HEAD)
+subRev=$(git -C "$subRepo" rev-parse HEAD)
 noSubmoduleRepoBaseline=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$subRepo; rev = \"$subRev\"; }).outPath")
 noSubmoduleRepo=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$subRepo; rev = \"$subRev\"; submodules = true; }).outPath")
 
-[[ $noSubmoduleRepoBaseline == $noSubmoduleRepo ]]
+[[ $noSubmoduleRepoBaseline == "$noSubmoduleRepo" ]]
 
 # Test .gitmodules with entries that refer to non-existent objects or objects that are not submodules.
-cat >> $rootRepo/.gitmodules <<EOF
+cat >> "$rootRepo"/.gitmodules <<EOF
 [submodule "missing"]
         path = missing
         url = https://example.org/missing.git
@@ -114,11 +114,11 @@ cat >> $rootRepo/.gitmodules <<EOF
         path = file
         url = https://example.org/file.git
 EOF
-echo foo > $rootRepo/file
-git -C $rootRepo add file
-git -C $rootRepo commit -a -m "Add bad submodules"
+echo foo > "$rootRepo"/file
+git -C "$rootRepo" add file
+git -C "$rootRepo" commit -a -m "Add bad submodules"
 
-rev=$(git -C $rootRepo rev-parse HEAD)
+rev=$(git -C "$rootRepo" rev-parse HEAD)
 
 r=$(nix eval --raw --expr "builtins.fetchGit { url = file://$rootRepo; rev = \"$rev\"; submodules = true; }")
 
@@ -126,44 +126,44 @@ r=$(nix eval --raw --expr "builtins.fetchGit { url = file://$rootRepo; rev = \"$
 [[ ! -e $r/missing ]]
 
 # Test relative submodule URLs.
-rm $TEST_HOME/.cache/nix/fetcher-cache*
-rm -rf $rootRepo/.git $rootRepo/.gitmodules $rootRepo/sub
-initGitRepo $rootRepo
-git -C $rootRepo submodule add ../gitSubmodulesSub sub
-git -C $rootRepo commit -m "Add submodule"
-rev2=$(git -C $rootRepo rev-parse HEAD)
+rm "$TEST_HOME"/.cache/nix/fetcher-cache*
+rm -rf "$rootRepo"/.git "$rootRepo"/.gitmodules "$rootRepo"/sub
+initGitRepo "$rootRepo"
+git -C "$rootRepo" submodule add ../gitSubmodulesSub sub
+git -C "$rootRepo" commit -m "Add submodule"
+rev2=$(git -C "$rootRepo" rev-parse HEAD)
 pathWithRelative=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$rootRepo; rev = \"$rev2\"; submodules = true; }).outPath")
-diff -r -x .gitmodules $pathWithSubmodules $pathWithRelative
+diff -r -x .gitmodules "$pathWithSubmodules" "$pathWithRelative"
 
 # Test clones that have an upstream with relative submodule URLs.
-rm $TEST_HOME/.cache/nix/fetcher-cache*
+rm "$TEST_HOME"/.cache/nix/fetcher-cache*
 cloneRepo=$TEST_ROOT/a/b/gitSubmodulesClone # NB /a/b to make the relative path not work relative to $cloneRepo
-git clone $rootRepo $cloneRepo
+git clone "$rootRepo" "$cloneRepo"
 pathIndirect=$(nix eval --raw --expr "(builtins.fetchGit { url = file://$cloneRepo; rev = \"$rev2\"; submodules = true; }).outPath")
-[[ $pathIndirect = $pathWithRelative ]]
+[[ $pathIndirect = "$pathWithRelative" ]]
 
 # Test submodule export-ignore interaction
-git -C $rootRepo/sub config user.email "foobar@example.com"
-git -C $rootRepo/sub config user.name "Foobar"
+git -C "$rootRepo"/sub config user.email "foobar@example.com"
+git -C "$rootRepo"/sub config user.name "Foobar"
 
-echo "/exclude-from-root export-ignore" >> $rootRepo/.gitattributes
+echo "/exclude-from-root export-ignore" >> "$rootRepo"/.gitattributes
 # TBD possible semantics for submodules + exportIgnore
 # echo "/sub/exclude-deep export-ignore" >> $rootRepo/.gitattributes
-echo nope > $rootRepo/exclude-from-root
-git -C $rootRepo add .gitattributes exclude-from-root
-git -C $rootRepo commit -m "Add export-ignore"
+echo nope > "$rootRepo"/exclude-from-root
+git -C "$rootRepo" add .gitattributes exclude-from-root
+git -C "$rootRepo" commit -m "Add export-ignore"
 
-echo "/exclude-from-sub export-ignore" >> $rootRepo/sub/.gitattributes
-echo nope > $rootRepo/sub/exclude-from-sub
+echo "/exclude-from-sub export-ignore" >> "$rootRepo"/sub/.gitattributes
+echo nope > "$rootRepo"/sub/exclude-from-sub
 # TBD possible semantics for submodules + exportIgnore
 # echo aye > $rootRepo/sub/exclude-from-root
-git -C $rootRepo/sub add .gitattributes exclude-from-sub
-git -C $rootRepo/sub commit -m "Add export-ignore (sub)"
+git -C "$rootRepo"/sub add .gitattributes exclude-from-sub
+git -C "$rootRepo"/sub commit -m "Add export-ignore (sub)"
 
-git -C $rootRepo add sub
-git -C $rootRepo commit -m "Update submodule"
+git -C "$rootRepo" add sub
+git -C "$rootRepo" commit -m "Update submodule"
 
-git -C $rootRepo status
+git -C "$rootRepo" status
 
 # # TBD: not supported yet, because semantics are undecided and current implementation leaks rules from the root to submodules
 # # exportIgnore can be used with submodules
@@ -199,39 +199,40 @@ test_submodule_nested() {
   local repoB=$TEST_ROOT/submodule_nested/b
   local repoC=$TEST_ROOT/submodule_nested/c
 
-  rm -rf $repoA $repoB $repoC $TEST_HOME/.cache/nix
+  rm -rf "$repoA" "$repoB" "$repoC" "$TEST_HOME"/.cache/nix
 
-  initGitRepo $repoC
-  touch $repoC/inside-c
-  git -C $repoC add inside-c
-  addGitContent $repoC
+  initGitRepo "$repoC"
+  touch "$repoC"/inside-c
+  git -C "$repoC" add inside-c
+  addGitContent "$repoC"
 
-  initGitRepo $repoB
-  git -C $repoB submodule add $repoC c
-  git -C $repoB add c
-  addGitContent $repoB
+  initGitRepo "$repoB"
+  git -C "$repoB" submodule add "$repoC" c
+  git -C "$repoB" add c
+  addGitContent "$repoB"
 
-  initGitRepo $repoA
-  git -C $repoA submodule add $repoB b
-  git -C $repoA add b
-  addGitContent $repoA
+  initGitRepo "$repoA"
+  git -C "$repoA" submodule add "$repoB" b
+  git -C "$repoA" add b
+  addGitContent "$repoA"
 
 
   # Check non-worktree fetch
-  local rev=$(git -C $repoA rev-parse HEAD)
+  local rev
+  rev=$(git -C "$repoA" rev-parse HEAD)
   out=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = \"file://$repoA\"; rev = \"$rev\"; submodules = true; }).outPath")
-  test -e $out/b/c/inside-c
-  test -e $out/content
-  test -e $out/b/content
-  test -e $out/b/c/content
+  test -e "$out"/b/c/inside-c
+  test -e "$out"/content
+  test -e "$out"/b/content
+  test -e "$out"/b/c/content
   local nonWorktree=$out
 
   # Check worktree based fetch
   # TODO: make it work without git submodule update
-  git -C $repoA submodule update --init --recursive
+  git -C "$repoA" submodule update --init --recursive
   out=$(nix eval --impure --raw --expr "(builtins.fetchGit { url = \"file://$repoA\"; submodules = true; }).outPath")
-  find $out
-  [[ $out == $nonWorktree ]] || { find $out; false; }
+  find "$out"
+  [[ $out == "$nonWorktree" ]] || { find "$out"; false; }
 
 }
 test_submodule_nested

From c4c35243180c7ed55c115bb9258aeb412572cb61 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:11:07 -0700
Subject: [PATCH 03/11] shellcheck fix:
 tests/functional/fetchGitVerification.sh

---
 maintainers/flake-module.nix             |  1 -
 tests/functional/fetchGitVerification.sh | 25 ++++++++++++------------
 2 files changed, 13 insertions(+), 13 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index ba38633bc..d303cb213 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/fetchGitVerification\.sh$''
               ''^tests/functional/fetchMercurial\.sh$''
               ''^tests/functional/fixed\.builder1\.sh$''
               ''^tests/functional/fixed\.builder2\.sh$''
diff --git a/tests/functional/fetchGitVerification.sh b/tests/functional/fetchGitVerification.sh
index 4012d8229..79c78d0c9 100755
--- a/tests/functional/fetchGitVerification.sh
+++ b/tests/functional/fetchGitVerification.sh
@@ -21,29 +21,29 @@ ssh-keygen -f "$keysDir/testkey2" -t rsa -P "" -C "test key 2"
 key2File="$keysDir/testkey2.pub"
 publicKey2=$(awk '{print $2}' "$key2File")
 
-git init $repo
-git -C $repo config user.email "foobar@example.com"
-git -C $repo config user.name "Foobar"
-git -C $repo config gpg.format ssh
+git init "$repo"
+git -C "$repo" config user.email "foobar@example.com"
+git -C "$repo" config user.name "Foobar"
+git -C "$repo" config gpg.format ssh
 
-echo 'hello' > $repo/text
-git -C $repo add text
-git -C $repo -c "user.signingkey=$key1File" commit -S -m 'initial commit'
+echo 'hello' > "$repo"/text
+git -C "$repo" add text
+git -C "$repo" -c "user.signingkey=$key1File" commit -S -m 'initial commit'
 
 out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
 [[ $status == 1 ]]
-[[ $out =~ 'No principal matched.' ]]
+[[ $out == *'No principal matched.'* ]]
 [[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKey = \"$publicKey1\"; } + \"/text\")") = 'hello' ]]
 
-echo 'hello world' > $repo/text
+echo 'hello world' > "$repo"/text
 
 # Verification on a dirty repo should fail.
 out=$(nix eval --impure --raw --expr "builtins.fetchGit { url = \"file://$repo\"; keytype = \"ssh-rsa\"; publicKey = \"$publicKey2\"; }" 2>&1) || status=$?
 [[ $status == 1 ]]
 [[ $out =~ 'dirty' ]]
 
-git -C $repo add text
-git -C $repo -c "user.signingkey=$key2File" commit -S -m 'second commit'
+git -C "$repo" add text
+git -C "$repo" -c "user.signingkey=$key2File" commit -S -m 'second commit'
 
 [[ $(nix eval --impure --raw --expr "builtins.readFile (builtins.fetchGit { url = \"file://$repo\"; publicKeys = [{key = \"$publicKey1\";} {type = \"ssh-rsa\"; key = \"$publicKey2\";}]; } + \"/text\")") = 'hello world' ]]
 
@@ -80,5 +80,6 @@ cat > "$flakeDir/flake.nix" <<EOF
 }
 EOF
 out=$(nix build "$flakeDir#test" 2>&1) || status=$?
+
 [[ $status == 1 ]]
-[[ $out =~ 'No principal matched.' ]]
+[[ $out == *'No principal matched.'* ]]

From 4cec876319d84e6033a184ef6fb81d9d6fac265e Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:13:38 -0700
Subject: [PATCH 04/11] shellcheck fix: tests/functional/fetchMercurial.sh

---
 maintainers/flake-module.nix       |  1 -
 tests/functional/fetchMercurial.sh | 85 +++++++++++++++---------------
 2 files changed, 43 insertions(+), 43 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index d303cb213..3470f853f 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/fetchMercurial\.sh$''
               ''^tests/functional/fixed\.builder1\.sh$''
               ''^tests/functional/fixed\.builder2\.sh$''
               ''^tests/functional/fixed\.sh$''
diff --git a/tests/functional/fetchMercurial.sh b/tests/functional/fetchMercurial.sh
index 6de192865..6293fb76a 100755
--- a/tests/functional/fetchMercurial.sh
+++ b/tests/functional/fetchMercurial.sh
@@ -12,34 +12,35 @@ clearStore
 # See https://github.com/NixOS/nix/issues/6195
 repo=$TEST_ROOT/./hg
 
-rm -rf $repo ${repo}-tmp $TEST_HOME/.cache/nix
+rm -rf "$repo" "${repo}"-tmp "$TEST_HOME"/.cache/nix
 
-hg init $repo
-echo '[ui]' >> $repo/.hg/hgrc
-echo 'username = Foobar <foobar@example.org>' >> $repo/.hg/hgrc
+hg init "$repo"
+{
+    echo '[ui]'
+    echo 'username = Foobar <foobar@example.org>'
+    # Set ui.tweakdefaults to ensure HGPLAIN is being set.
+    echo 'tweakdefaults = True'
+} >> "$repo"/.hg/hgrc
 
-# Set ui.tweakdefaults to ensure HGPLAIN is being set.
-echo 'tweakdefaults = True' >> $repo/.hg/hgrc
+echo utrecht > "$repo"/hello
+touch "$repo"/.hgignore
+hg add --cwd "$repo" hello .hgignore
+hg commit --cwd "$repo" -m 'Bla1'
+rev1=$(hg log --cwd "$repo" -r tip --template '{node}')
 
-echo utrecht > $repo/hello
-touch $repo/.hgignore
-hg add --cwd $repo hello .hgignore
-hg commit --cwd $repo -m 'Bla1'
-rev1=$(hg log --cwd $repo -r tip --template '{node}')
-
-echo world > $repo/hello
-hg commit --cwd $repo -m 'Bla2'
-rev2=$(hg log --cwd $repo -r tip --template '{node}')
+echo world > "$repo"/hello
+hg commit --cwd "$repo" -m 'Bla2'
+rev2=$(hg log --cwd "$repo" -r tip --template '{node}')
 
 # Fetch an unclean branch.
-echo unclean > $repo/hello
+echo unclean > "$repo"/hello
 path=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
-[[ $(cat $path/hello) = unclean ]]
-hg revert --cwd $repo --all
+[[ $(cat "$path"/hello) = unclean ]]
+hg revert --cwd "$repo" --all
 
 # Fetch the default branch.
 path=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
-[[ $(cat $path/hello) = world ]]
+[[ $(cat "$path"/hello) = world ]]
 
 # In pure eval mode, fetchGit without a revision should fail.
 [[ $(nix eval --impure --raw --expr "(builtins.readFile (fetchMercurial file://$repo + \"/hello\"))") = world ]]
@@ -47,64 +48,64 @@ path=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).ou
 
 # Fetch using an explicit revision hash.
 path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
-[[ $path = $path2 ]]
+[[ $path = "$path2" ]]
 
 # In pure eval mode, fetchGit with a revision should succeed.
 [[ $(nix eval --raw --expr "builtins.readFile (fetchMercurial { url = file://$repo; rev = \"$rev2\"; } + \"/hello\")") = world ]]
 
 # Fetch again. This should be cached.
-mv $repo ${repo}-tmp
+mv "$repo" "${repo}"-tmp
 path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
-[[ $path = $path2 ]]
+[[ $path = "$path2" ]]
 
 [[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).branch") = default ]]
 [[ $(nix eval --impure --expr "(builtins.fetchMercurial file://$repo).revCount") = 1 ]]
-[[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).rev") = $rev2 ]]
+[[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial file://$repo).rev") = "$rev2" ]]
 
 # But with TTL 0, it should fail.
 (! nix eval --impure --refresh --expr "builtins.fetchMercurial file://$repo")
 
 # Fetching with a explicit hash should succeed.
 path2=$(nix eval --refresh --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev2\"; }).outPath")
-[[ $path = $path2 ]]
+[[ $path = "$path2" ]]
 
 path2=$(nix eval --refresh --raw --expr "(builtins.fetchMercurial { url = file://$repo; rev = \"$rev1\"; }).outPath")
-[[ $(cat $path2/hello) = utrecht ]]
+[[ $(cat "$path2"/hello) = utrecht ]]
 
-mv ${repo}-tmp $repo
+mv "${repo}"-tmp "$repo"
 
 # Using a clean working tree should produce the same result.
 path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).outPath")
-[[ $path = $path2 ]]
+[[ $path = "$path2" ]]
 
 # Using an unclean tree should yield the tracked but uncommitted changes.
-mkdir $repo/dir1 $repo/dir2
-echo foo > $repo/dir1/foo
-echo bar > $repo/bar
-echo bar > $repo/dir2/bar
-hg add --cwd $repo dir1/foo
-hg rm --cwd $repo hello
+mkdir "$repo"/dir1 "$repo"/dir2
+echo foo > "$repo"/dir1/foo
+echo bar > "$repo"/bar
+echo bar > "$repo"/dir2/bar
+hg add --cwd "$repo" dir1/foo
+hg rm --cwd "$repo" hello
 
 path2=$(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).outPath")
-[ ! -e $path2/hello ]
-[ ! -e $path2/bar ]
-[ ! -e $path2/dir2/bar ]
-[ ! -e $path2/.hg ]
-[[ $(cat $path2/dir1/foo) = foo ]]
+[ ! -e "$path2"/hello ]
+[ ! -e "$path2"/bar ]
+[ ! -e "$path2"/dir2/bar ]
+[ ! -e "$path2"/.hg ]
+[[ $(cat "$path2"/dir1/foo) = foo ]]
 
 [[ $(nix eval --impure --raw --expr "(builtins.fetchMercurial $repo).rev") = 0000000000000000000000000000000000000000 ]]
 
 # ... unless we're using an explicit ref.
 path3=$(nix eval --impure --raw --expr "(builtins.fetchMercurial { url = $repo; rev = \"default\"; }).outPath")
-[[ $path = $path3 ]]
+[[ $path = "$path3" ]]
 
 # Committing should not affect the store path.
-hg commit --cwd $repo -m 'Bla3'
+hg commit --cwd "$repo" -m 'Bla3'
 
 path4=$(nix eval --impure --refresh --raw --expr "(builtins.fetchMercurial file://$repo).outPath")
-[[ $path2 = $path4 ]]
+[[ $path2 = "$path4" ]]
 
-echo paris > $repo/hello
+echo paris > "$repo"/hello
 
 # Passing a `name` argument should be reflected in the output path
 path5=$(nix eval -vvvvv --impure --refresh --raw --expr "(builtins.fetchMercurial { url = \"file://$repo\"; name = \"foo\"; } ).outPath")

From f8e351cd945f4ae444b57c3917b3648af3b0c709 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:16:47 -0700
Subject: [PATCH 05/11] shellcheck fix: tests/functional/fixed

---
 maintainers/flake-module.nix       |  3 ---
 tests/functional/fixed.builder1.sh |  4 +++-
 tests/functional/fixed.builder2.sh | 13 ++++++++-----
 tests/functional/fixed.sh          | 20 ++++++++++----------
 4 files changed, 21 insertions(+), 19 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 3470f853f..0742d2a6a 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,9 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/fixed\.builder1\.sh$''
-              ''^tests/functional/fixed\.builder2\.sh$''
-              ''^tests/functional/fixed\.sh$''
               ''^tests/functional/flakes/absolute-paths\.sh$''
               ''^tests/functional/flakes/check\.sh$''
               ''^tests/functional/flakes/config\.sh$''
diff --git a/tests/functional/fixed.builder1.sh b/tests/functional/fixed.builder1.sh
index c41bb2b9a..172f65e6b 100644
--- a/tests/functional/fixed.builder1.sh
+++ b/tests/functional/fixed.builder1.sh
@@ -1,3 +1,5 @@
+# shellcheck shell=bash
 if test "$IMPURE_VAR1" != "foo"; then exit 1; fi
 if test "$IMPURE_VAR2" != "bar"; then exit 1; fi
-echo "Hello World!" > $out
+# shellcheck disable=SC2154
+echo "Hello World!" > "$out"
diff --git a/tests/functional/fixed.builder2.sh b/tests/functional/fixed.builder2.sh
index 31ea1579a..9fbcf022e 100644
--- a/tests/functional/fixed.builder2.sh
+++ b/tests/functional/fixed.builder2.sh
@@ -1,6 +1,9 @@
-echo dummy: $dummy
+# shellcheck shell=bash
+# shellcheck disable=SC2154
+echo dummy: "$dummy"
 if test -n "$dummy"; then sleep 2; fi
-mkdir $out
-mkdir $out/bla
-echo "Hello World!" > $out/foo
-ln -s foo $out/bar
+# shellcheck disable=SC2154
+mkdir "$out"
+mkdir "$out"/bla
+echo "Hello World!" > "$out"/foo
+ln -s foo "$out"/bar
diff --git a/tests/functional/fixed.sh b/tests/functional/fixed.sh
index d98769e64..edf6f88d4 100755
--- a/tests/functional/fixed.sh
+++ b/tests/functional/fixed.sh
@@ -6,7 +6,7 @@ TODO_NixOS
 
 clearStore
 
-path=$(nix-store -q $(nix-instantiate fixed.nix -A good.0))
+path=$(nix-store -q "$(nix-instantiate fixed.nix -A good.0)")
 
 echo 'testing bad...'
 nix-build fixed.nix -A bad --no-out-link && fail "should fail"
@@ -14,7 +14,7 @@ nix-build fixed.nix -A bad --no-out-link && fail "should fail"
 # Building with the bad hash should produce the "good" output path as
 # a side-effect.
 [[ -e $path ]]
-nix path-info --json $path | grep fixed:md5:2qk15sxzzjlnpjk9brn7j8ppcd
+nix path-info --json "$path" | grep fixed:md5:2qk15sxzzjlnpjk9brn7j8ppcd
 
 echo 'testing good...'
 nix-build fixed.nix -A good --no-out-link
@@ -37,7 +37,7 @@ fi
 
 # While we're at it, check attribute selection a bit more.
 echo 'testing attribute selection...'
-test $(nix-instantiate fixed.nix -A good.1 | wc -l) = 1
+test "$(nix-instantiate fixed.nix -A good.1 | wc -l)" = 1
 
 # Test parallel builds of derivations that produce the same output.
 # Only one should run at the same time.
@@ -51,16 +51,16 @@ echo 'testing sameAsAdd...'
 out=$(nix-build fixed.nix -A sameAsAdd --no-out-link)
 
 # This is what fixed.builder2 produces...
-rm -rf $TEST_ROOT/fixed
-mkdir $TEST_ROOT/fixed
-mkdir $TEST_ROOT/fixed/bla
-echo "Hello World!" > $TEST_ROOT/fixed/foo
-ln -s foo $TEST_ROOT/fixed/bar
+rm -rf "$TEST_ROOT"/fixed
+mkdir "$TEST_ROOT"/fixed
+mkdir "$TEST_ROOT"/fixed/bla
+echo "Hello World!" > "$TEST_ROOT"/fixed/foo
+ln -s foo "$TEST_ROOT"/fixed/bar
 
-out2=$(nix-store --add $TEST_ROOT/fixed)
+out2=$(nix-store --add "$TEST_ROOT"/fixed)
 [ "$out" = "$out2" ]
 
-out3=$(nix-store --add-fixed --recursive sha256 $TEST_ROOT/fixed)
+out3=$(nix-store --add-fixed --recursive sha256 "$TEST_ROOT"/fixed)
 [ "$out" = "$out3" ]
 
 out4=$(nix-store --print-fixed-path --recursive sha256 "1ixr6yd3297ciyp9im522dfxpqbkhcw0pylkb2aab915278fqaik" fixed)

From 8839bab84d97acc8531bf44399b5ca1269dd6f21 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:20:00 -0700
Subject: [PATCH 06/11] shellcheck fix: completion files

---
 maintainers/flake-module.nix | 4 ----
 misc/fish/completion.fish    | 1 +
 misc/zsh/completion.zsh      | 1 +
 3 files changed, 2 insertions(+), 4 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 0742d2a6a..3de348703 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -197,10 +197,6 @@
               ''^tests/functional/user-envs\.sh$''
               ''^tests/functional/why-depends\.sh$''
 
-              # Shellcheck doesn't support fish or zsh shell syntax
-              ''^misc/fish/completion\.fish$''
-              ''^misc/zsh/completion\.zsh$''
-
               # Content-addressed test files that use recursive-*looking* sourcing
               # (cd .. && source <self>), causing shellcheck to loop
               # They're small wrapper scripts with not a lot going on
diff --git a/misc/fish/completion.fish b/misc/fish/completion.fish
index c6b8ef16a..b6584963b 100644
--- a/misc/fish/completion.fish
+++ b/misc/fish/completion.fish
@@ -1,3 +1,4 @@
+# shellcheck disable=all
 function _nix_complete
   # Get the current command up to a cursor.
   # - Behaves correctly even with pipes and nested in commands like env.
diff --git a/misc/zsh/completion.zsh b/misc/zsh/completion.zsh
index f9b3dca74..eb26a16cb 100644
--- a/misc/zsh/completion.zsh
+++ b/misc/zsh/completion.zsh
@@ -1,3 +1,4 @@
+# shellcheck disable=all
 #compdef nix
 
 function _nix() {

From 9bf8e7b73019615ffa14a73086205ab424a328a8 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:20:51 -0700
Subject: [PATCH 07/11] shellcheck fix:
 tests/functional/flakes/absolute-paths.sh

---
 maintainers/flake-module.nix              |  1 -
 tests/functional/flakes/absolute-paths.sh | 10 +++++-----
 2 files changed, 5 insertions(+), 6 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 3de348703..84f444480 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/flakes/absolute-paths\.sh$''
               ''^tests/functional/flakes/check\.sh$''
               ''^tests/functional/flakes/config\.sh$''
               ''^tests/functional/flakes/flakes\.sh$''
diff --git a/tests/functional/flakes/absolute-paths.sh b/tests/functional/flakes/absolute-paths.sh
index a355a7a1c..6565857cb 100755
--- a/tests/functional/flakes/absolute-paths.sh
+++ b/tests/functional/flakes/absolute-paths.sh
@@ -7,13 +7,13 @@ requireGit
 flake1Dir=$TEST_ROOT/flake1
 flake2Dir=$TEST_ROOT/flake2
 
-createGitRepo $flake1Dir
-cat > $flake1Dir/flake.nix <<EOF
+createGitRepo "$flake1Dir"
+cat > "$flake1Dir"/flake.nix <<EOF
 {
     outputs = { self }: { x = builtins.readFile $(pwd)/absolute-paths.sh; };
 }
 EOF
-git -C $flake1Dir add flake.nix
-git -C $flake1Dir commit -m Initial
+git -C "$flake1Dir" add flake.nix
+git -C "$flake1Dir" commit -m Initial
 
-nix eval --impure --json $flake1Dir#x
+nix eval --impure --json "$flake1Dir"#x

From 26a10453c331a317b9d5fb36703719d08ed74f2b Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:23:02 -0700
Subject: [PATCH 08/11] shellcheck fix: tests/functional/flakes/check.sh

---
 maintainers/flake-module.nix     |  1 -
 tests/functional/flakes/check.sh | 61 +++++++++++++++++---------------
 2 files changed, 33 insertions(+), 29 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 84f444480..6f9985e0b 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/flakes/check\.sh$''
               ''^tests/functional/flakes/config\.sh$''
               ''^tests/functional/flakes/flakes\.sh$''
               ''^tests/functional/flakes/follow-paths\.sh$''
diff --git a/tests/functional/flakes/check.sh b/tests/functional/flakes/check.sh
index 9a356c2ed..55cd3805f 100755
--- a/tests/functional/flakes/check.sh
+++ b/tests/functional/flakes/check.sh
@@ -3,9 +3,9 @@
 source common.sh
 
 flakeDir=$TEST_ROOT/flake3
-mkdir -p $flakeDir
+mkdir -p "$flakeDir"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     overlay = final: prev: {
@@ -14,9 +14,9 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-nix flake check $flakeDir
+nix flake check "$flakeDir"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     overlay = finalll: prev: {
@@ -25,9 +25,9 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-(! nix flake check $flakeDir)
+(! nix flake check "$flakeDir")
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self, ... }: {
     overlays.x86_64-linux.foo = final: prev: {
@@ -36,10 +36,11 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-checkRes=$(nix flake check $flakeDir 2>&1 && fail "nix flake check --all-systems should have failed" || true)
+# shellcheck disable=SC2015
+checkRes=$(nix flake check "$flakeDir" 2>&1 && fail "nix flake check --all-systems should have failed" || true)
 echo "$checkRes" | grepQuiet "error: overlay is not a function, but a set instead"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     nixosModules.foo = {
@@ -50,9 +51,9 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-nix flake check $flakeDir
+nix flake check "$flakeDir"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     nixosModules.foo = assert false; {
@@ -63,9 +64,9 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-(! nix flake check $flakeDir)
+(! nix flake check "$flakeDir")
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     nixosModule = { config, pkgs, ... }: {
@@ -75,9 +76,9 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-nix flake check $flakeDir
+nix flake check "$flakeDir"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     packages.system-1.default = "foo";
@@ -86,13 +87,14 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-nix flake check $flakeDir
+nix flake check "$flakeDir"
 
-checkRes=$(nix flake check --all-systems --keep-going $flakeDir 2>&1 && fail "nix flake check --all-systems should have failed" || true)
+# shellcheck disable=SC2015
+checkRes=$(nix flake check --all-systems --keep-going "$flakeDir" 2>&1 && fail "nix flake check --all-systems should have failed" || true)
 echo "$checkRes" | grepQuiet "packages.system-1.default"
 echo "$checkRes" | grepQuiet "packages.system-2.default"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     apps.system-1.default = {
@@ -108,9 +110,9 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-nix flake check --all-systems $flakeDir
+nix flake check --all-systems "$flakeDir"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     apps.system-1.default = {
@@ -122,10 +124,11 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-checkRes=$(nix flake check --all-systems $flakeDir 2>&1 && fail "nix flake check --all-systems should have failed" || true)
+# shellcheck disable=SC2015
+checkRes=$(nix flake check --all-systems "$flakeDir" 2>&1 && fail "nix flake check --all-systems should have failed" || true)
 echo "$checkRes" | grepQuiet "unknown-attr"
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     formatter.system-1 = "foo";
@@ -133,11 +136,12 @@ cat > $flakeDir/flake.nix <<EOF
 }
 EOF
 
-checkRes=$(nix flake check --all-systems $flakeDir 2>&1 && fail "nix flake check --all-systems should have failed" || true)
+# shellcheck disable=SC2015
+checkRes=$(nix flake check --all-systems "$flakeDir" 2>&1 && fail "nix flake check --all-systems should have failed" || true)
 echo "$checkRes" | grepQuiet "formatter.system-1"
 
 # Test whether `nix flake check` builds checks.
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     checks.$system.foo = with import ./config.nix; mkDerivation {
@@ -152,7 +156,7 @@ cp "${config_nix}" "$flakeDir/"
 
 expectStderr 0 nix flake check "$flakeDir" | grepQuiet 'running 1 flake check'
 
-cat > $flakeDir/flake.nix <<EOF
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: {
     checks.$system.foo = with import ./config.nix; mkDerivation {
@@ -164,14 +168,14 @@ cat > $flakeDir/flake.nix <<EOF
 EOF
 
 # FIXME: error code 100 doesn't get propagated from the daemon.
-if !isTestOnNixOS && $NIX_REMOTE != daemon; then
+if ! isTestOnNixOS && $NIX_REMOTE != daemon; then
     expectStderr 100 nix flake check "$flakeDir" | grepQuiet 'builder failed with exit code 1'
 fi
 
 # Ensure non-substitutable (read: usually failed) checks are actually run
 # https://github.com/NixOS/nix/pull/13574
-cp "$config_nix" $flakeDir/
-cat > $flakeDir/flake.nix <<EOF
+cp "$config_nix" "$flakeDir"/
+cat > "$flakeDir"/flake.nix <<EOF
 {
   outputs = { self }: with import ./config.nix; {
     checks.${system}.expectedToFail = derivation {
@@ -185,5 +189,6 @@ EOF
 
 # NOTE: Regex pattern is used for compatibility with older daemon versions
 # We also can't expect a specific status code. Earlier daemons return 1, but as of 2.31, we return 100
-checkRes=$(nix flake check $flakeDir 2>&1 && fail "nix flake check should have failed" || true)
+# shellcheck disable=SC2015
+checkRes=$(nix flake check "$flakeDir" 2>&1 && fail "nix flake check should have failed" || true)
 echo "$checkRes" | grepQuiet -E "builder( for .*)? failed with exit code 1"

From ac5615dd91e042711177f25e6e01d778697b55f1 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:24:30 -0700
Subject: [PATCH 09/11] shellcheck fix: tests/functional/flakes/config.sh

---
 maintainers/flake-module.nix      | 1 -
 tests/functional/flakes/config.sh | 5 +++--
 2 files changed, 3 insertions(+), 3 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 6f9985e0b..024565116 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/flakes/config\.sh$''
               ''^tests/functional/flakes/flakes\.sh$''
               ''^tests/functional/flakes/follow-paths\.sh$''
               ''^tests/functional/flakes/prefetch\.sh$''
diff --git a/tests/functional/flakes/config.sh b/tests/functional/flakes/config.sh
index ab2d9f47c..87714b5db 100755
--- a/tests/functional/flakes/config.sh
+++ b/tests/functional/flakes/config.sh
@@ -2,9 +2,9 @@
 
 source common.sh
 
-cp ../simple.nix ../simple.builder.sh "${config_nix}" $TEST_HOME
+cp ../simple.nix ../simple.builder.sh "${config_nix}" "$TEST_HOME"
 
-cd $TEST_HOME
+cd "$TEST_HOME"
 
 rm -f post-hook-ran
 cat <<EOF > echoing-post-hook.sh
@@ -37,6 +37,7 @@ if type -p script >/dev/null && script -q -c true /dev/null; then
 else
     echo "script is not available or not GNU-like, so we skip testing with an added tty"
 fi
+# shellcheck disable=SC2235
 (! [[ -f post-hook-ran ]])
 TODO_NixOS
 clearStore

From 6fc8f04ecb3241c39a10988d358cdcd226de5ac9 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:26:53 -0700
Subject: [PATCH 10/11] shellcheck fix: tests/functional/flakes/flakes.sh

---
 maintainers/flake-module.nix      |  1 -
 tests/functional/flakes/flakes.sh | 90 ++++++++++++++++---------------
 2 files changed, 46 insertions(+), 45 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 024565116..50601e06f 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/flakes/flakes\.sh$''
               ''^tests/functional/flakes/follow-paths\.sh$''
               ''^tests/functional/flakes/prefetch\.sh$''
               ''^tests/functional/flakes/run\.sh$''
diff --git a/tests/functional/flakes/flakes.sh b/tests/functional/flakes/flakes.sh
index 97d238654..5b1da0f02 100755
--- a/tests/functional/flakes/flakes.sh
+++ b/tests/functional/flakes/flakes.sh
@@ -7,7 +7,7 @@ TODO_NixOS
 requireGit
 
 clearStore
-rm -rf $TEST_HOME/.cache $TEST_HOME/.config
+rm -rf "$TEST_HOME"/.cache "$TEST_HOME"/.config
 
 createFlake1
 createFlake2
@@ -59,7 +59,7 @@ nix flake metadata flake1
 nix flake metadata flake1 | grepQuiet 'Locked URL:.*flake1.*'
 
 # Test 'nix flake metadata' on a chroot store.
-nix flake metadata --store $TEST_ROOT/chroot-store flake1
+nix flake metadata --store "$TEST_ROOT"/chroot-store flake1
 
 # Test 'nix flake metadata' on a local flake.
 (cd "$flake1Dir" && nix flake metadata) | grepQuiet 'URL:.*flake1.*'
@@ -75,17 +75,18 @@ hash1=$(echo "$json" | jq -r .revision)
 [[ -n $(echo "$json" | jq -r .fingerprint) ]]
 
 echo foo > "$flake1Dir/foo"
-git -C "$flake1Dir" add $flake1Dir/foo
+git -C "$flake1Dir" add "$flake1Dir"/foo
 [[ $(nix flake metadata flake1 --json --refresh | jq -r .dirtyRevision) == "$hash1-dirty" ]]
 [[ "$(nix flake metadata flake1 --json | jq -r .fingerprint)" != null ]]
 
 echo -n '# foo' >> "$flake1Dir/flake.nix"
 flake1OriginalCommit=$(git -C "$flake1Dir" rev-parse HEAD)
 git -C "$flake1Dir" commit -a -m 'Foo'
+# shellcheck disable=SC2034
 flake1NewCommit=$(git -C "$flake1Dir" rev-parse HEAD)
 hash2=$(nix flake metadata flake1 --json --refresh | jq -r .revision)
 [[ $(nix flake metadata flake1 --json --refresh | jq -r .dirtyRevision) == "null" ]]
-[[ $hash1 != $hash2 ]]
+[[ $hash1 != "$hash2" ]]
 
 # Test 'nix build' on a flake.
 nix build -o "$TEST_ROOT/result" flake1#foo
@@ -204,8 +205,8 @@ git -C "$flake3Dir" add flake.nix
 git -C "$flake3Dir" commit -m 'Update flake.nix'
 
 # Check whether `nix build` works with an incomplete lockfile
-nix build -o $TEST_ROOT/result "$flake3Dir#sth sth"
-nix build -o $TEST_ROOT/result "$flake3Dir#sth%20sth"
+nix build -o "$TEST_ROOT"/result "$flake3Dir#sth sth"
+nix build -o "$TEST_ROOT"/result "$flake3Dir#sth%20sth"
 
 # Check whether it saved the lockfile
 [[ -n $(git -C "$flake3Dir" diff master) ]]
@@ -249,7 +250,7 @@ nix flake lock "$flake3Dir"
 [[ -z $(git -C "$flake3Dir" diff master || echo failed) ]]
 
 nix flake update --flake "$flake3Dir" --override-flake flake2 nixpkgs
-[[ ! -z $(git -C "$flake3Dir" diff master || echo failed) ]]
+[[ -n $(git -C "$flake3Dir" diff master || echo failed) ]]
 
 # Testing the nix CLI
 nix registry add flake1 flake3
@@ -262,7 +263,7 @@ nix registry remove flake1
 [[ $(nix registry list | wc -l) == 4 ]]
 
 # Test 'nix registry list' with a disabled global registry.
-nix registry add user-flake1 git+file://$flake1Dir
+nix registry add user-flake1 git+file://"$flake1Dir"
 nix registry add user-flake2 "git+file://$percentEncodedFlake2Dir"
 [[ $(nix --flake-registry "" registry list | wc -l) == 2 ]]
 nix --flake-registry "" registry list | grepQuietInverse '^global' # nothing in global registry
@@ -273,9 +274,9 @@ nix registry remove user-flake2
 [[ $(nix registry list | wc -l) == 4 ]]
 
 # Test 'nix flake clone'.
-rm -rf $TEST_ROOT/flake1-v2
-nix flake clone flake1 --dest $TEST_ROOT/flake1-v2
-[ -e $TEST_ROOT/flake1-v2/flake.nix ]
+rm -rf "$TEST_ROOT"/flake1-v2
+nix flake clone flake1 --dest "$TEST_ROOT"/flake1-v2
+[ -e "$TEST_ROOT"/flake1-v2/flake.nix ]
 
 # Test 'follows' inputs.
 cat > "$flake3Dir/flake.nix" <<EOF
@@ -319,9 +320,9 @@ nix flake lock "$flake3Dir"
 [[ $(jq -c .nodes.root.inputs.bar "$flake3Dir/flake.lock") = '["flake2"]' ]]
 
 # Test overriding inputs of inputs.
-writeTrivialFlake $flake7Dir
-git -C $flake7Dir add flake.nix
-git -C $flake7Dir commit -m 'Initial'
+writeTrivialFlake "$flake7Dir"
+git -C "$flake7Dir" add flake.nix
+git -C "$flake7Dir" commit -m 'Initial'
 
 cat > "$flake3Dir/flake.nix" <<EOF
 {
@@ -349,54 +350,55 @@ cat > "$flake3Dir/flake.nix" <<EOF
 EOF
 
 nix flake update --flake "$flake3Dir"
+# shellcheck disable=SC2076
 [[ $(jq -c .nodes.flake2.inputs.flake1 "$flake3Dir/flake.lock") =~ '["foo"]' ]]
 [[ $(jq .nodes.foo.locked.url "$flake3Dir/flake.lock") =~ flake7 ]]
 
 # Test git+file with bare repo.
-rm -rf $flakeGitBare
-git clone --bare $flake1Dir $flakeGitBare
-nix build -o $TEST_ROOT/result git+file://$flakeGitBare
+rm -rf "$flakeGitBare"
+git clone --bare "$flake1Dir" "$flakeGitBare"
+nix build -o "$TEST_ROOT"/result git+file://"$flakeGitBare"
 
 # Test path flakes.
-mkdir -p $flake5Dir
-writeDependentFlake $flake5Dir
-nix flake lock path://$flake5Dir
+mkdir -p "$flake5Dir"
+writeDependentFlake "$flake5Dir"
+nix flake lock path://"$flake5Dir"
 
 # Test tarball flakes.
-tar cfz $TEST_ROOT/flake.tar.gz -C $TEST_ROOT flake5
+tar cfz "$TEST_ROOT"/flake.tar.gz -C "$TEST_ROOT" flake5
 
-nix build -o $TEST_ROOT/result file://$TEST_ROOT/flake.tar.gz
+nix build -o "$TEST_ROOT"/result file://"$TEST_ROOT"/flake.tar.gz
 
 # Building with a tarball URL containing a SRI hash should also work.
-url=$(nix flake metadata --json file://$TEST_ROOT/flake.tar.gz | jq -r .url)
+url=$(nix flake metadata --json file://"$TEST_ROOT"/flake.tar.gz | jq -r .url)
 [[ $url =~ sha256- ]]
 
-nix build -o $TEST_ROOT/result $url
+nix build -o "$TEST_ROOT"/result "$url"
 
 # Building with an incorrect SRI hash should fail.
-expectStderr 102 nix build -o $TEST_ROOT/result "file://$TEST_ROOT/flake.tar.gz?narHash=sha256-qQ2Zz4DNHViCUrp6gTS7EE4+RMqFQtUfWF2UNUtJKS0=" | grep 'NAR hash mismatch'
+expectStderr 102 nix build -o "$TEST_ROOT"/result "file://$TEST_ROOT/flake.tar.gz?narHash=sha256-qQ2Zz4DNHViCUrp6gTS7EE4+RMqFQtUfWF2UNUtJKS0=" | grep 'NAR hash mismatch'
 
 # Test --override-input.
 git -C "$flake3Dir" reset --hard
-nix flake lock "$flake3Dir" --override-input flake2/flake1 file://$TEST_ROOT/flake.tar.gz -vvvvv
+nix flake lock "$flake3Dir" --override-input flake2/flake1 file://"$TEST_ROOT"/flake.tar.gz -vvvvv
 [[ $(jq .nodes.flake1_2.locked.url "$flake3Dir/flake.lock") =~ flake.tar.gz ]]
 
 nix flake lock "$flake3Dir" --override-input flake2/flake1 flake1
 [[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") =~ $hash2 ]]
 
-nix flake lock "$flake3Dir" --override-input flake2/flake1 flake1/master/$hash1
+nix flake lock "$flake3Dir" --override-input flake2/flake1 flake1/master/"$hash1"
 [[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") =~ $hash1 ]]
 
 # Test --update-input.
 nix flake lock "$flake3Dir"
-[[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") = $hash1 ]]
+[[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") = "$hash1" ]]
 
 nix flake update flake2/flake1 --flake "$flake3Dir"
 [[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") =~ $hash2 ]]
 
 # Test updating multiple inputs.
-nix flake lock "$flake3Dir" --override-input flake1 flake1/master/$hash1
-nix flake lock "$flake3Dir" --override-input flake2/flake1 flake1/master/$hash1
+nix flake lock "$flake3Dir" --override-input flake1 flake1/master/"$hash1"
+nix flake lock "$flake3Dir" --override-input flake2/flake1 flake1/master/"$hash1"
 [[ $(jq -r .nodes.flake1.locked.rev "$flake3Dir/flake.lock") =~ $hash1 ]]
 [[ $(jq -r .nodes.flake1_2.locked.rev "$flake3Dir/flake.lock") =~ $hash1 ]]
 
@@ -409,13 +411,13 @@ nix flake metadata "$flake3Dir" --json | jq .
 nix flake metadata "$flake3Dir" --json --eval-store "dummy://?read-only=false" | jq .
 
 # Test flake in store does not evaluate.
-rm -rf $badFlakeDir
-mkdir $badFlakeDir
-echo INVALID > $badFlakeDir/flake.nix
-nix store delete $(nix store add-path $badFlakeDir)
+rm -rf "$badFlakeDir"
+mkdir "$badFlakeDir"
+echo INVALID > "$badFlakeDir"/flake.nix
+nix store delete "$(nix store add-path "$badFlakeDir")"
 
-[[ $(nix path-info      $(nix store add-path $flake1Dir)) =~ flake1 ]]
-[[ $(nix path-info path:$(nix store add-path $flake1Dir)) =~ simple ]]
+[[ $(nix path-info      "$(nix store add-path "$flake1Dir")") =~ flake1 ]]
+[[ $(nix path-info path:"$(nix store add-path "$flake1Dir")") =~ simple ]]
 
 # Test fetching flakerefs in the legacy CLI.
 [[ $(nix-instantiate --eval flake:flake3 -A x) = 123 ]]
@@ -424,15 +426,15 @@ nix store delete $(nix store add-path $badFlakeDir)
 [[ $(NIX_PATH=flake3=flake:flake3 nix-instantiate --eval '<flake3>' -A x) = 123 ]]
 
 # Test alternate lockfile paths.
-nix flake lock "$flake2Dir" --output-lock-file $TEST_ROOT/flake2.lock
-cmp "$flake2Dir/flake.lock" $TEST_ROOT/flake2.lock >/dev/null # lockfiles should be identical, since we're referencing flake2's original one
+nix flake lock "$flake2Dir" --output-lock-file "$TEST_ROOT"/flake2.lock
+cmp "$flake2Dir/flake.lock" "$TEST_ROOT"/flake2.lock >/dev/null # lockfiles should be identical, since we're referencing flake2's original one
 
-nix flake lock "$flake2Dir" --output-lock-file $TEST_ROOT/flake2-overridden.lock --override-input flake1 git+file://$flake1Dir?rev=$flake1OriginalCommit
-expectStderr 1 cmp "$flake2Dir/flake.lock" $TEST_ROOT/flake2-overridden.lock
-nix flake metadata "$flake2Dir" --reference-lock-file $TEST_ROOT/flake2-overridden.lock | grepQuiet $flake1OriginalCommit
+nix flake lock "$flake2Dir" --output-lock-file "$TEST_ROOT"/flake2-overridden.lock --override-input flake1 git+file://"$flake1Dir"?rev="$flake1OriginalCommit"
+expectStderr 1 cmp "$flake2Dir/flake.lock" "$TEST_ROOT"/flake2-overridden.lock
+nix flake metadata "$flake2Dir" --reference-lock-file "$TEST_ROOT"/flake2-overridden.lock | grepQuiet "$flake1OriginalCommit"
 
 # reference-lock-file can only be used if allow-dirty is set.
-expectStderr 1 nix flake metadata "$flake2Dir" --no-allow-dirty --reference-lock-file $TEST_ROOT/flake2-overridden.lock
+expectStderr 1 nix flake metadata "$flake2Dir" --no-allow-dirty --reference-lock-file "$TEST_ROOT"/flake2-overridden.lock
 
 # After changing an input (flake2 from newFlake2Rev to prevFlake2Rev), we should have the transitive inputs locked by revision $prevFlake2Rev of flake2.
 prevFlake1Rev=$(nix flake metadata --json "$flake1Dir" | jq -r .revision)
@@ -459,7 +461,7 @@ git -C "$flake3Dir" commit flake.nix -m 'bla'
 
 rm "$flake3Dir/flake.lock"
 nix flake lock "$flake3Dir"
-[[ "$(nix flake metadata --json "$flake3Dir" | jq -r .locks.nodes.flake1.locked.rev)" = $newFlake1Rev ]]
+[[ "$(nix flake metadata --json "$flake3Dir" | jq -r .locks.nodes.flake1.locked.rev)" = "$newFlake1Rev" ]]
 
 cat > "$flake3Dir/flake.nix" <<EOF
 {
@@ -470,7 +472,7 @@ cat > "$flake3Dir/flake.nix" <<EOF
 }
 EOF
 
-[[ "$(nix flake metadata --json "$flake3Dir" | jq -r .locks.nodes.flake1.locked.rev)" = $prevFlake1Rev ]]
+[[ "$(nix flake metadata --json "$flake3Dir" | jq -r .locks.nodes.flake1.locked.rev)" = "$prevFlake1Rev" ]]
 
 baseDir=$TEST_ROOT/$RANDOM
 subdirFlakeDir1=$baseDir/foo1

From 2a6724299a4a853f31ee14c59c83613cedcb6e94 Mon Sep 17 00:00:00 2001
From: Farid Zakaria <farid.m.zakaria@gmail.com>
Date: Thu, 25 Sep 2025 13:27:34 -0700
Subject: [PATCH 11/11] shellcheck fix: tests/functional/flakes/follow-paths.sh

---
 maintainers/flake-module.nix            |  1 -
 tests/functional/flakes/follow-paths.sh | 97 +++++++++++++------------
 2 files changed, 49 insertions(+), 49 deletions(-)

diff --git a/maintainers/flake-module.nix b/maintainers/flake-module.nix
index 50601e06f..0e9363408 100644
--- a/maintainers/flake-module.nix
+++ b/maintainers/flake-module.nix
@@ -106,7 +106,6 @@
             enable = true;
             excludes = [
               # We haven't linted these files yet
-              ''^tests/functional/flakes/follow-paths\.sh$''
               ''^tests/functional/flakes/prefetch\.sh$''
               ''^tests/functional/flakes/run\.sh$''
               ''^tests/functional/flakes/show\.sh$''
diff --git a/tests/functional/flakes/follow-paths.sh b/tests/functional/flakes/follow-paths.sh
index cf27681cb..1a6661be5 100755
--- a/tests/functional/flakes/follow-paths.sh
+++ b/tests/functional/flakes/follow-paths.sh
@@ -11,13 +11,13 @@ flakeFollowsD=$TEST_ROOT/follows/flakeA/flakeD
 flakeFollowsE=$TEST_ROOT/follows/flakeA/flakeE
 
 # Test following path flakerefs.
-createGitRepo $flakeFollowsA
-mkdir -p $flakeFollowsB
-mkdir -p $flakeFollowsC
-mkdir -p $flakeFollowsD
-mkdir -p $flakeFollowsE
+createGitRepo "$flakeFollowsA"
+mkdir -p "$flakeFollowsB"
+mkdir -p "$flakeFollowsC"
+mkdir -p "$flakeFollowsD"
+mkdir -p "$flakeFollowsE"
 
-cat > $flakeFollowsA/flake.nix <<EOF
+cat > "$flakeFollowsA"/flake.nix <<EOF
 {
     description = "Flake A";
     inputs = {
@@ -32,7 +32,7 @@ cat > $flakeFollowsA/flake.nix <<EOF
 }
 EOF
 
-cat > $flakeFollowsB/flake.nix <<EOF
+cat > "$flakeFollowsB"/flake.nix <<EOF
 {
     description = "Flake B";
     inputs = {
@@ -47,7 +47,7 @@ cat > $flakeFollowsB/flake.nix <<EOF
 }
 EOF
 
-cat > $flakeFollowsC/flake.nix <<EOF
+cat > "$flakeFollowsC"/flake.nix <<EOF
 {
     description = "Flake C";
     inputs = {
@@ -58,7 +58,7 @@ cat > $flakeFollowsC/flake.nix <<EOF
 }
 EOF
 
-cat > $flakeFollowsD/flake.nix <<EOF
+cat > "$flakeFollowsD"/flake.nix <<EOF
 {
     description = "Flake D";
     inputs = {};
@@ -66,7 +66,7 @@ cat > $flakeFollowsD/flake.nix <<EOF
 }
 EOF
 
-cat > $flakeFollowsE/flake.nix <<EOF
+cat > "$flakeFollowsE"/flake.nix <<EOF
 {
     description = "Flake E";
     inputs = {};
@@ -74,32 +74,32 @@ cat > $flakeFollowsE/flake.nix <<EOF
 }
 EOF
 
-git -C $flakeFollowsA add flake.nix flakeB/flake.nix \
+git -C "$flakeFollowsA" add flake.nix flakeB/flake.nix \
   flakeB/flakeC/flake.nix flakeD/flake.nix flakeE/flake.nix
 
-nix flake metadata $flakeFollowsA
+nix flake metadata "$flakeFollowsA"
 
-nix flake update --flake $flakeFollowsA
+nix flake update --flake "$flakeFollowsA"
 
-nix flake lock $flakeFollowsA
+nix flake lock "$flakeFollowsA"
 
 oldLock="$(cat "$flakeFollowsA/flake.lock")"
 
 # Ensure that locking twice doesn't change anything
 
-nix flake lock $flakeFollowsA
+nix flake lock "$flakeFollowsA"
 
 newLock="$(cat "$flakeFollowsA/flake.lock")"
 
 diff <(echo "$newLock") <(echo "$oldLock")
 
-[[ $(jq -c .nodes.B.inputs.C $flakeFollowsA/flake.lock) = '"C"' ]]
-[[ $(jq -c .nodes.B.inputs.foobar $flakeFollowsA/flake.lock) = '["foobar"]' ]]
-[[ $(jq -c .nodes.C.inputs.foobar $flakeFollowsA/flake.lock) = '["B","foobar"]' ]]
+[[ $(jq -c .nodes.B.inputs.C "$flakeFollowsA"/flake.lock) = '"C"' ]]
+[[ $(jq -c .nodes.B.inputs.foobar "$flakeFollowsA"/flake.lock) = '["foobar"]' ]]
+[[ $(jq -c .nodes.C.inputs.foobar "$flakeFollowsA"/flake.lock) = '["B","foobar"]' ]]
 
 # Ensure removing follows from flake.nix removes them from the lockfile
 
-cat > $flakeFollowsA/flake.nix <<EOF
+cat > "$flakeFollowsA"/flake.nix <<EOF
 {
     description = "Flake A";
     inputs = {
@@ -112,13 +112,13 @@ cat > $flakeFollowsA/flake.nix <<EOF
 }
 EOF
 
-nix flake lock $flakeFollowsA
+nix flake lock "$flakeFollowsA"
 
-[[ $(jq -c .nodes.B.inputs.foobar $flakeFollowsA/flake.lock) = '"foobar"' ]]
-jq -r -c '.nodes | keys | .[]' $flakeFollowsA/flake.lock | grep "^foobar$"
+[[ $(jq -c .nodes.B.inputs.foobar "$flakeFollowsA"/flake.lock) = '"foobar"' ]]
+jq -r -c '.nodes | keys | .[]' "$flakeFollowsA"/flake.lock | grep "^foobar$"
 
 # Check that path: inputs cannot escape from their root.
-cat > $flakeFollowsA/flake.nix <<EOF
+cat > "$flakeFollowsA"/flake.nix <<EOF
 {
     description = "Flake A";
     inputs = {
@@ -128,13 +128,13 @@ cat > $flakeFollowsA/flake.nix <<EOF
 }
 EOF
 
-git -C $flakeFollowsA add flake.nix
+git -C "$flakeFollowsA" add flake.nix
 
-expect 1 nix flake lock $flakeFollowsA 2>&1 | grep '/flakeB.*is forbidden in pure evaluation mode'
-expect 1 nix flake lock --impure $flakeFollowsA 2>&1 | grep '/flakeB.*does not exist'
+expect 1 nix flake lock "$flakeFollowsA" 2>&1 | grep '/flakeB.*is forbidden in pure evaluation mode'
+expect 1 nix flake lock --impure "$flakeFollowsA" 2>&1 | grep '/flakeB.*does not exist'
 
 # Test relative non-flake inputs.
-cat > $flakeFollowsA/flake.nix <<EOF
+cat > "$flakeFollowsA"/flake.nix <<EOF
 {
     description = "Flake A";
     inputs = {
@@ -145,16 +145,16 @@ cat > $flakeFollowsA/flake.nix <<EOF
 }
 EOF
 
-echo 123 > $flakeFollowsA/foo.nix
+echo 123 > "$flakeFollowsA"/foo.nix
 
-git -C $flakeFollowsA add flake.nix foo.nix
+git -C "$flakeFollowsA" add flake.nix foo.nix
 
-nix flake lock $flakeFollowsA
+nix flake lock "$flakeFollowsA"
 
-[[ $(nix eval --json $flakeFollowsA#e) = 123 ]]
+[[ $(nix eval --json "$flakeFollowsA"#e) = 123 ]]
 
 # Non-existant follows should print a warning.
-cat >$flakeFollowsA/flake.nix <<EOF
+cat >"$flakeFollowsA"/flake.nix <<EOF
 {
     description = "Flake A";
     inputs.B = {
@@ -167,7 +167,7 @@ cat >$flakeFollowsA/flake.nix <<EOF
 }
 EOF
 
-git -C $flakeFollowsA add flake.nix
+git -C "$flakeFollowsA" add flake.nix
 
 nix flake lock "$flakeFollowsA" 2>&1 | grep "warning: input 'B' has an override for a non-existent input 'invalid'"
 nix flake lock "$flakeFollowsA" 2>&1 | grep "warning: input 'B' has an override for a non-existent input 'invalid2'"
@@ -269,7 +269,7 @@ flakeFollowCycle="$TEST_ROOT/follows/followCycle"
 # Test following path flakerefs.
 mkdir -p "$flakeFollowCycle"
 
-cat > $flakeFollowCycle/flake.nix <<EOF
+cat > "$flakeFollowCycle"/flake.nix <<EOF
 {
     description = "Flake A";
     inputs = {
@@ -281,8 +281,9 @@ cat > $flakeFollowCycle/flake.nix <<EOF
 }
 EOF
 
+# shellcheck disable=SC2015
 checkRes=$(nix flake lock "$flakeFollowCycle" 2>&1 && fail "nix flake lock should have failed." || true)
-echo $checkRes | grep -F "error: follow cycle detected: [baz -> foo -> bar -> baz]"
+echo "$checkRes" | grep -F "error: follow cycle detected: [baz -> foo -> bar -> baz]"
 
 
 # Test transitive input url locking
@@ -362,22 +363,22 @@ echo "$json" | jq .locks.nodes.C.original
 
 # Test deep overrides, e.g. `inputs.B.inputs.C.inputs.D.follows = ...`.
 
-cat <<EOF > $flakeFollowsD/flake.nix
+cat <<EOF > "$flakeFollowsD"/flake.nix
 { outputs = _: {}; }
 EOF
-cat <<EOF > $flakeFollowsC/flake.nix
+cat <<EOF > "$flakeFollowsC"/flake.nix
 {
   inputs.D.url = "path:nosuchflake";
   outputs = _: {};
 }
 EOF
-cat <<EOF > $flakeFollowsB/flake.nix
+cat <<EOF > "$flakeFollowsB"/flake.nix
 {
   inputs.C.url = "path:$flakeFollowsC";
   outputs = _: {};
 }
 EOF
-cat <<EOF > $flakeFollowsA/flake.nix
+cat <<EOF > "$flakeFollowsA"/flake.nix
 {
   inputs.B.url = "path:$flakeFollowsB";
   inputs.D.url = "path:$flakeFollowsD";
@@ -386,26 +387,26 @@ cat <<EOF > $flakeFollowsA/flake.nix
 }
 EOF
 
-nix flake lock $flakeFollowsA
+nix flake lock "$flakeFollowsA"
 
-[[ $(jq -c .nodes.C.inputs.D $flakeFollowsA/flake.lock) = '["D"]' ]]
+[[ $(jq -c .nodes.C.inputs.D "$flakeFollowsA"/flake.lock) = '["D"]' ]]
 
 # Test overlapping flake follows: B has D follow C/D, while A has B/C follow C
 
-cat <<EOF > $flakeFollowsC/flake.nix
+cat <<EOF > "$flakeFollowsC"/flake.nix
 {
   inputs.D.url = "path:$flakeFollowsD";
   outputs = _: {};
 }
 EOF
-cat <<EOF > $flakeFollowsB/flake.nix
+cat <<EOF > "$flakeFollowsB"/flake.nix
 {
   inputs.C.url = "path:nosuchflake";
   inputs.D.follows = "C/D";
   outputs = _: {};
 }
 EOF
-cat <<EOF > $flakeFollowsA/flake.nix
+cat <<EOF > "$flakeFollowsA"/flake.nix
 {
   inputs.B.url = "path:$flakeFollowsB";
   inputs.C.url = "path:$flakeFollowsC";
@@ -415,12 +416,12 @@ cat <<EOF > $flakeFollowsA/flake.nix
 EOF
 
 # bug was not triggered without recreating the lockfile
-nix flake lock $flakeFollowsA --recreate-lock-file
+nix flake lock "$flakeFollowsA" --recreate-lock-file
 
-[[ $(jq -c .nodes.B.inputs.D $flakeFollowsA/flake.lock) = '["B","C","D"]' ]]
+[[ $(jq -c .nodes.B.inputs.D "$flakeFollowsA"/flake.lock) = '["B","C","D"]' ]]
 
 # Check that you can't have both a flakeref and a follows attribute on an input.
-cat <<EOF > $flakeFollowsB/flake.nix
+cat <<EOF > "$flakeFollowsB"/flake.nix
 {
   inputs.C.url = "path:nosuchflake";
   inputs.D.url = "path:nosuchflake";
@@ -429,4 +430,4 @@ cat <<EOF > $flakeFollowsB/flake.nix
 }
 EOF
 
-expectStderr 1 nix flake lock $flakeFollowsA --recreate-lock-file | grepQuiet "flake input has both a flake reference and a follows attribute"
+expectStderr 1 nix flake lock "$flakeFollowsA" --recreate-lock-file | grepQuiet "flake input has both a flake reference and a follows attribute"