nevaforget/moonarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: audit remediation — 6 fixes across quality, performance, security
All checks were successful
Update PKGBUILD version / update-pkgver (push) Successful in 2s
Details

Browse Source 
Q-01: Fix broken upower regex in moonarch-btnote (lookaheads never matched)
Q-02: Fix transform.sh paru repo section name ([moonarch] → [moonarch-pkgbuilds]),
      config path (~/.config → /etc), and partial sync (-Sy → -Syu)
Q-03: Add missing stasis package to aur.txt (idle management broken on fresh install)
S-01: Switch CI git clones from HTTP to HTTPS (MITM risk in Docker network)
S-02: Restrict CI builder sudo to /usr/bin/pacman only
P-01: Refactor moonarch-waybar-gpustat — remove while loop, use jq --arg style
This commit is contained in:
nevaforget 2026-04-07 10:50:57 +02:00
parent 27247a4ffb
commit 29550b8a14
6 changed files with 38 additions and 47 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

4
.gitea/workflows/update-pkgver.yaml
View File

@ -14,7 +14,7 @@ jobs:
steps: steps:
- name: Checkout source repo - name: Checkout source repo
run: | run: |
git clone --bare http://gitea:3000/nevaforget/moonarch.git source.git git clone --bare https://gitea.moonarch.de/nevaforget/moonarch.git source.git
cd source.git cd source.git
PKGVER=$(printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)") PKGVER=$(printf "r%s.%s" "$(git rev-list --count HEAD)" "$(git rev-parse --short HEAD)")
echo "New pkgver: $PKGVER" echo "New pkgver: $PKGVER"
@ -23,7 +23,7 @@ jobs:
- name: Update PKGBUILD - name: Update PKGBUILD
run: | run: |
PKGVER=$(cat /tmp/pkgver) PKGVER=$(cat /tmp/pkgver)
git clone http://gitea:3000/nevaforget/moonarch-pkgbuilds.git pkgbuilds git clone https://gitea.moonarch.de/nevaforget/moonarch-pkgbuilds.git pkgbuilds
cd pkgbuilds cd pkgbuilds
OLD_VER=$(grep '^pkgver=' moonarch-git/PKGBUILD | cut -d= -f2) OLD_VER=$(grep '^pkgver=' moonarch-git/PKGBUILD | cut -d= -f2)

2
ci/act-runner/Dockerfile
View File

@ -1,6 +1,6 @@
FROM archlinux:base-devel FROM archlinux:base-devel
RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm
RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: ALL" >> /etc/sudoers RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman" >> /etc/sudoers
ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner
RUN chmod +x /usr/local/bin/act_runner RUN chmod +x /usr/local/bin/act_runner
COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh

5
defaults/bin/moonarch-btnote
View File

@ -8,9 +8,8 @@ ICON="battery-empty"
while IFS= read -r d; do while IFS= read -r d; do
[ -z "$d" ] && continue [ -z "$d" ] && continue
DEVICE_DATA=$(upower -i "$d") DEVICE_DATA=$(upower -i "$d")
PERCENTAGE=$(echo "$DEVICE_DATA" | grep -Po '(?<=(percentage: )).*(?= icon)') PER_INT=$(echo "$DEVICE_DATA" | grep -oP 'percentage:\s+\K[0-9]+')
PER_INT=$(echo "${PERCENTAGE//%}") DEVICE_NAME=$(echo "$DEVICE_DATA" | grep -oP 'model:\s+\K.+')
DEVICE_NAME=$(echo "$DEVICE_DATA" | grep -Po '(?<=(model: )).*(?= serial)')
if [ -n "$DEVICE_NAME" ] && [ -n "$PER_INT" ] && [ "$PER_INT" -lt "$NOTIFY_AT_PERCENTAGE" ]; then if [ -n "$DEVICE_NAME" ] && [ -n "$PER_INT" ] && [ "$PER_INT" -lt "$NOTIFY_AT_PERCENTAGE" ]; then
notify-send -t 5000 -e "Low battery $DEVICE_NAME $PER_INT%" -i "$ICON" \ notify-send -t 5000 -e "Low battery $DEVICE_NAME $PER_INT%" -i "$ICON" \

60
defaults/bin/moonarch-waybar-gpustat
View File

@ -2,38 +2,32 @@
# ABOUTME: Waybar-Modul das die GPU-Auslastung als JSON ausgibt. # ABOUTME: Waybar-Modul das die GPU-Auslastung als JSON ausgibt.
# ABOUTME: Wird von der Waybar custom/gpu-usage Config referenziert. # ABOUTME: Wird von der Waybar custom/gpu-usage Config referenziert.
while : GPU_STAT=$(cat /sys/class/hwmon/hwmon*/device/gpu_busy_percent 2>/dev/null | head -1 || echo "0")
do GPU_STAT="${GPU_STAT:-0}"
GPU_STAT=$(cat /sys/class/hwmon/hwmon*/device/gpu_busy_percent 2>/dev/null | head -1 || echo "0") ICON="<span color='#69ff94' size='8pt' rise='1.5pt'>▁</span>"
GPU_STAT="${GPU_STAT:-0}"
if [ "$GPU_STAT" -lt 10 ]; then
ICON="<span color='#69ff94' size='8pt' rise='1.5pt'>▁</span>" ICON="<span color='#69ff94' size='8pt' rise='1.5pt'>▁</span>"
elif [ "$GPU_STAT" -lt 20 ]; then
ICON="<span color='#2aa9ff' size='8pt' rise='1.5pt'>▂</span>"
elif [ "$GPU_STAT" -lt 40 ]; then
ICON="<span color='#f8f8f2' size='8pt' rise='1.5pt'>▃</span>"
elif [ "$GPU_STAT" -lt 50 ]; then
ICON="<span color='#f8f8f2' size='8pt' rise='1.5pt'>▄</span>"
elif [ "$GPU_STAT" -lt 60 ]; then
ICON="<span color='#ffffa5' size='8pt' rise='1.5pt'>▅</span>"
elif [ "$GPU_STAT" -lt 70 ]; then
ICON="<span color='#ffffa5' size='8pt' rise='1.5pt'>▆</span>"
elif [ "$GPU_STAT" -lt 80 ]; then
ICON="<span color='#ff9977' size='8pt' rise='1.5pt'>▇</span>"
elif [ "$GPU_STAT" -lt 100 ]; then
ICON="<span color='#dd532e' size='8pt' rise='1.5pt'>█</span>"
fi
if [ "$GPU_STAT" -lt 10 ]; then jq --unbuffered --compact-output -n \
ICON="<span color='#69ff94' size='8pt' rise='1.5pt'>▁</span>" --arg text "GPU $ICON" \
elif [ "$GPU_STAT" -lt 20 ]; then --arg alt "GPU $ICON $GPU_STAT%" \
ICON="<span color='#2aa9ff' size='8pt' rise='1.5pt'>▂</span>" --arg tooltip "GPU $ICON $GPU_STAT%" \
elif [ "$GPU_STAT" -lt 40 ]; then --arg class "gpustat" \
ICON="<span color='#f8f8f2' size='8pt' rise='1.5pt'>▃</span>" --argjson percentage "$GPU_STAT" \
elif [ "$GPU_STAT" -lt 50 ]; then '{text: $text, alt: $alt, tooltip: $tooltip, class: $class, percentage: $percentage}'
ICON="<span color='#f8f8f2' size='8pt' rise='1.5pt'>▄</span>"
elif [ "$GPU_STAT" -lt 60 ]; then
ICON="<span color='#ffffa5' size='8pt' rise='1.5pt'>▅</span>"
elif [ "$GPU_STAT" -lt 70 ]; then
ICON="<span color='#ffffa5' size='8pt' rise='1.5pt'>▆</span>"
elif [ "$GPU_STAT" -lt 80 ]; then
ICON="<span color='#ff9977' size='8pt' rise='1.5pt'>▇</span>"
elif [ "$GPU_STAT" -lt 100 ]; then
ICON="<span color='#dd532e' size='8pt' rise='1.5pt'>█</span>"
fi
s="text|alt|tooltip|class|percentage
GPU $ICON|GPU $ICON $GPU_STAT%|GPU $ICON $GPU_STAT%|gpustat|$GPU_STAT"
jq --unbuffered --compact-output -Rn '
( input | split("|") ) as $keys |
( inputs | split("|") ) as $vals |
[[$keys, $vals] | transpose[] | {key:.[0],value:.[1]}] | from_entries
' <<<"$s"
sleep 5
done

1
packages/aur.txt
View File

@ -31,3 +31,4 @@ waterfox-bin
# System & Tools # System & Tools
auto-cpufreq auto-cpufreq
stasis

13
scripts/transform.sh
View File

@ -247,19 +247,16 @@ trap - EXIT
# Moonarch custom paru repo # Moonarch custom paru repo
log "Setting up Moonarch paru repo..." log "Setting up Moonarch paru repo..."
PARU_CONF="$HOME/.config/paru/paru.conf" PARU_CONF="/etc/paru.conf"
mkdir -p "$(dirname "$PARU_CONF")" if ! grep -q '\[moonarch-pkgbuilds\]' "$PARU_CONF" 2>/dev/null; then
if ! grep -q '\[moonarch\]' "$PARU_CONF" 2>/dev/null; then printf '\n[moonarch-pkgbuilds]\nUrl = https://gitea.moonarch.de/nevaforget/moonarch-pkgbuilds.git\n' \
cat >> "$PARU_CONF" <<'EOCONF' | sudo tee -a "$PARU_CONF" > /dev/null
[moonarch]
Url = https://gitea.moonarch.de/nevaforget/moonarch-pkgbuilds.git
EOCONF
log " + Moonarch repo added to paru.conf." log " + Moonarch repo added to paru.conf."
else else
log " ~ Moonarch repo already in paru.conf." log " ~ Moonarch repo already in paru.conf."
fi fi
paru -Sy --pkgbuilds --noconfirm paru -Syu --pkgbuilds --noconfirm
log "Installing moonarch-git package..." log "Installing moonarch-git package..."
paru -S --needed --noconfirm moonarch-git paru -S --needed --noconfirm moonarch-git