guettli/sharedinbox
1
0
Fork 0
Code Issues 21 Pull Requests 6 Actions Packages Projects Releases Wiki Activity

fix: enforce non-root execution in Taskfile and shell scripts (#433)

Browse Source
This commit was merged in pull request #433.
This commit is contained in:
Bot of Thomas Güttler
2026-06-05 18:41:36 +02:00
parent adef2e9f80
commit 9ca7089c50
6 changed files with 8 additions and 0 deletions
Download Patch File Download Diff File Expand all files Collapse all files
Taskfile.yml
+2
View File
@@ -37,6 +37,8 @@ tasks:
run: once run: once
deps: [_nix-check] deps: [_nix-check]
preconditions: preconditions:
- sh: '[ "$(id -u)" != "0" ]'
msg: "Do not run as root. Use the dedicated dev user (see DEVELOPMENT.md)."
- sh: test -n "${IN_NIX_SHELL}" - sh: test -n "${IN_NIX_SHELL}"
msg: "Not in nix dev shell. Run: nix develop" msg: "Not in nix dev shell. Run: nix develop"
cmds: cmds:
deploy.sh
+1
View File
@@ -1,5 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
REPO_DIR="$(cd "$(dirname "$0")" && pwd)" REPO_DIR="$(cd "$(dirname "$0")" && pwd)"
# Load .env into environment # Load .env into environment
scripts/setup_dagger_remote.sh
+2
View File
@@ -1,5 +1,6 @@
#!/usr/bin/env bash #!/usr/bin/env bash
set -euo pipefail set -euo pipefail
[ "${CI:-}" = "true" ] || [ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
if [ -z "${SOPS_AGE_KEY:-}" ]; then if [ -z "${SOPS_AGE_KEY:-}" ]; then
echo "Error: SOPS_AGE_KEY must be set." echo "Error: SOPS_AGE_KEY must be set."
@@ -50,6 +51,7 @@ export_secret "RENOVATE_FORGEJO_TOKEN"
# Setup SSH directory and keys # Setup SSH directory and keys
mkdir -p ~/.ssh mkdir -p ~/.ssh
chmod 700 ~/.ssh chmod 700 ~/.ssh
rm -f ~/.ssh/dagger_key
echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
chmod 600 ~/.ssh/dagger_key chmod 600 ~/.ssh/dagger_key
stalwart-dev/integration_android_test.sh
+1
View File
@@ -7,6 +7,7 @@
# Run inside nix develop: # Run inside nix develop:
# stalwart-dev/integration_android_test.sh # stalwart-dev/integration_android_test.sh
set -Eeuo pipefail set -Eeuo pipefail
[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
_SCRIPT_START=$(date +%s%3N) _SCRIPT_START=$(date +%s%3N)
ts() { echo "[$(( $(date +%s%3N) - _SCRIPT_START ))ms] $*"; } ts() { echo "[$(( $(date +%s%3N) - _SCRIPT_START ))ms] $*"; }
stalwart-dev/integration_ui_test.sh
+1
View File
@@ -5,6 +5,7 @@
# #
# Run inside nix develop: stalwart-dev/integration_ui_test.sh # Run inside nix develop: stalwart-dev/integration_ui_test.sh
set -Eeuo pipefail set -Eeuo pipefail
[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
# Timing helper: prints elapsed seconds since script start with a label. # Timing helper: prints elapsed seconds since script start with a label.
_SCRIPT_START=$(date +%s%3N) _SCRIPT_START=$(date +%s%3N)
stalwart-dev/test.sh
+1
View File
@@ -2,6 +2,7 @@
# Starts Stalwart in the background on fresh random ports, runs Flutter # Starts Stalwart in the background on fresh random ports, runs Flutter
# integration tests, then stops it. # integration tests, then stops it.
set -Eeuo pipefail set -Eeuo pipefail
[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
trap 'echo "Warning: A command failed ($0:$LINENO)"; exit 3' ERR trap 'echo "Warning: A command failed ($0:$LINENO)"; exit 3' ERR
export STALWART_USER_B="${STALWART_USER_B:-alice@example.com}" export STALWART_USER_B="${STALWART_USER_B:-alice@example.com}"