Merge remote-tracking branch 'origin/main' into issue-414-ensure-not-run-as-root

ci: retrigger after Dagger engine restart
2026-06-05 18:11:39 +02:00 · 2026-06-05 18:01:14 +02:00 · 2026-06-05 17:27:38 +02:00 · 2026-06-05 17:11:08 +02:00 · 2026-06-05 17:10:33 +02:00 · 2026-06-04 22:46:08 +02:00
6 changed files with 8 additions and 0 deletions
@@ -37,6 +37,8 @@ tasks:
    run: once
    deps: [_nix-check]
    preconditions:
+      - sh: '[ "$(id -u)" != "0" ]'
+        msg: "Do not run as root. Use the dedicated dev user (see DEVELOPMENT.md)."
      - sh: test -n "${IN_NIX_SHELL}"
        msg: "Not in nix dev shell. Run: nix develop"
    cmds:
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 REPO_DIR="$(cd "$(dirname "$0")" && pwd)"

 # Load .env into environment
@@ -1,5 +1,6 @@
 #!/usr/bin/env bash
 set -euo pipefail
+[ "${CI:-}" = "true" ] || [ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }

 if [ -z "${SOPS_AGE_KEY:-}" ]; then
    echo "Error: SOPS_AGE_KEY must be set."
@@ -50,6 +51,7 @@ export_secret "RENOVATE_FORGEJO_TOKEN"
 # Setup SSH directory and keys
 mkdir -p ~/.ssh
 chmod 700 ~/.ssh
+rm -f ~/.ssh/dagger_key
 echo "$DAGGER_SSH_KEY" > ~/.ssh/dagger_key
 chmod 600 ~/.ssh/dagger_key

@@ -7,6 +7,7 @@
 # Run inside nix develop:
 #   stalwart-dev/integration_android_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }

 _SCRIPT_START=$(date +%s%3N)
 ts() { echo "[$(( $(date +%s%3N) - _SCRIPT_START ))ms] $*"; }
@@ -5,6 +5,7 @@
 #
 # Run inside nix develop: stalwart-dev/integration_ui_test.sh
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }

 # Timing helper: prints elapsed seconds since script start with a label.
 _SCRIPT_START=$(date +%s%3N)
@@ -2,6 +2,7 @@
 # Starts Stalwart in the background on fresh random ports, runs Flutter
 # integration tests, then stops it.
 set -Eeuo pipefail
+[ "$(id -u)" != "0" ] || { echo "ERROR: Do not run as root. See DEVELOPMENT.md."; exit 1; }
 trap 'echo "Warning: A command failed ($0:$LINENO)"; exit 3' ERR

 export STALWART_USER_B="${STALWART_USER_B:-alice@example.com}"
Author	SHA1	Message	Date
Thomas SharedInbox	47f14bff34	Merge remote-tracking branch 'origin/main' into issue-414-ensure-not-run-as-root	2026-06-05 18:11:39 +02:00
Thomas SharedInbox	b7baf02c1a	Merge remote-tracking branch 'origin/main' into issue-414-ensure-not-run-as-root	2026-06-05 18:01:14 +02:00
Thomas SharedInbox	1de0a993fe	ci: retrigger after Dagger engine restart	2026-06-05 17:27:38 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	2fa6d437ef	fix: skip non-root check when running in CI environment Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-05 17:11:08 +02:00
Thomas SharedInbox	f3692095e8	Merge branch 'main' into issue-414-ensure-not-run-as-root	2026-06-05 17:10:33 +02:00
Thomas SharedInboxandClaude Sonnet 4.6	f7fbb9cf7b	fix: enforce non-root execution in Taskfile and shell scripts Adds a root-user guard to Taskfile's _preflight task (the shared precondition for all local task commands) and to five scripts that can be invoked directly outside of `task`. Also adds `rm -f` before writing ~/.ssh/dagger_key in setup_dagger_remote.sh to safely remove any existing file or symlink before writing the new key. Closes #414 Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>	2026-06-04 22:46:08 +02:00