diff --git a/.gitea/workflows/update-pkgver.yaml b/.gitea/workflows/update-pkgver.yaml index 0ccf5a2..bc0962c 100644 --- a/.gitea/workflows/update-pkgver.yaml +++ b/.gitea/workflows/update-pkgver.yaml @@ -21,6 +21,8 @@ jobs: echo "$PKGVER" > /tmp/pkgver - name: Update PKGBUILD + env: + PKGBUILD_TOKEN: ${{ secrets.PKGBUILD_TOKEN }} run: | PKGVER=$(cat /tmp/pkgver) git clone https://gitea.moonarch.de/nevaforget/moonarch-pkgbuilds.git pkgbuilds @@ -39,4 +41,12 @@ jobs: git config user.email "gitea@moonarch.de" git add moonarch-git/PKGBUILD git commit -m "chore(moonarch-git): bump pkgver to $PKGVER" - git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push + + # Push via credential helper with a chmod 600 temp file, so the token + # never appears in /proc/PID/cmdline (as it would with `git -c + # http.extraHeader=...`). + CRED_FILE=$(mktemp) + chmod 600 "$CRED_FILE" + trap 'rm -f "$CRED_FILE"' EXIT + printf "https://pkgver-bot:%s@gitea.moonarch.de\n" "$PKGBUILD_TOKEN" > "$CRED_FILE" + git -c credential.helper="store --file=$CRED_FILE" push diff --git a/ci/act-runner/Dockerfile b/ci/act-runner/Dockerfile index 2094e83..e9b0543 100644 --- a/ci/act-runner/Dockerfile +++ b/ci/act-runner/Dockerfile @@ -1,10 +1,10 @@ FROM archlinux:base-devel RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm -RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -Sy *, /usr/bin/pacman -S --needed *" >> /etc/sudoers +RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -S --needed *" >> /etc/sudoers ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner RUN echo "a05b2103a7cc5617197da214eaa06a1055362f21f9f475eb7fbacb8344d86cf8 /usr/local/bin/act_runner" | sha256sum -c - \ && chmod +x /usr/local/bin/act_runner -COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh +COPY --from=gitea/act_runner:0.3.1 /usr/local/bin/run.sh /usr/local/bin/run.sh RUN mkdir -p /data && chown builder:builder /data USER builder ENV HOME=/home/builder diff --git a/defaults/bin/moonarch-waybar b/defaults/bin/moonarch-waybar index 3d3f446..d93e741 100755 --- a/defaults/bin/moonarch-waybar +++ b/defaults/bin/moonarch-waybar @@ -51,7 +51,9 @@ if [[ -f "$USERCONFIG" ]]; then if [[ ! -f "$OUTPUT" ]] || [[ "$USERCONFIG" -nt "$OUTPUT" ]] || [[ "$SYSTEM_CONFIG" -nt "$OUTPUT" ]]; then - merge_config + # On merge failure the previous $OUTPUT is stale — remove it so waybar + # falls back to XDG's system config instead of running with stale merged data. + merge_config || rm -f "$OUTPUT" fi bootstrap_style fi diff --git a/defaults/etc/systemd/system/moonarch-batsaver.service b/defaults/etc/systemd/system/moonarch-batsaver.service index 8f1a2b7..ca43982 100644 --- a/defaults/etc/systemd/system/moonarch-batsaver.service +++ b/defaults/etc/systemd/system/moonarch-batsaver.service @@ -9,7 +9,19 @@ ConditionPathExists=/var/lib/moonarch/batsaver-threshold [Service] Type=oneshot -ExecStart=/bin/sh -c 'cat /var/lib/moonarch/batsaver-threshold > /sys/class/power_supply/BAT0/charge_control_end_threshold' +# Validate the threshold (integer 1–100) before writing. The state file is +# written by wheel-group users via moonarch-batsaver-toggle; the kernel rejects +# non-numeric values on sysfs, but validating here prevents noise on boot and +# makes the trust boundary explicit. +ExecStart=/bin/sh -c 'V=$(cat /var/lib/moonarch/batsaver-threshold); case "$V" in ""|*[!0-9]*) exit 0;; esac; [ "$V" -ge 1 ] && [ "$V" -le 100 ] && printf %s "$V" > /sys/class/power_supply/BAT0/charge_control_end_threshold' +NoNewPrivileges=true +ProtectHome=true +PrivateTmp=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictNamespaces=true +RestrictRealtime=true +LockPersonality=true [Install] WantedBy=multi-user.target diff --git a/defaults/shell/zshrc b/defaults/shell/zshrc index 23d61a6..5d79955 100644 --- a/defaults/shell/zshrc +++ b/defaults/shell/zshrc @@ -30,26 +30,25 @@ add-zsh-hook preexec _preexec_title # --- Prompt (Catppuccin Mocha) --- parse_git_branch() { - local branch="" - branch=$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/') - local git_status=$(git status --porcelain 2>/dev/null) - local color=green - if echo "$git_status" | grep -q "^ M"; then - color=yellow - branch="${branch}*" + # Gate on cheap check first — spawning git in every non-repo directory on every + # prompt render costs 20-80ms per prompt. Pattern-match the status output with + # zsh glob matching instead of piping to grep for three subshell-spawning checks. + git rev-parse --git-dir &>/dev/null || return + local branch="" git_status="" color=green flags="" + branch=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) + git_status=$(git status --porcelain 2>/dev/null) + if [[ "$git_status" == *$'\n M '* || "$git_status" == " M "* || "$git_status" == *$'\nM'* ]]; then + color=yellow; flags+="*" fi - if echo "$git_status" | grep -qE "^ A|^\?\?"; then - color=yellow - branch="${branch}+" + if [[ "$git_status" == *$'\nA '* || "$git_status" == "A "* || "$git_status" == *'??'* ]]; then + color=yellow; flags+="+" fi - if echo "$git_status" | grep -q "^ D"; then - color=yellow - branch="${branch}-" + if [[ "$git_status" == *$'\n D '* || "$git_status" == " D "* ]]; then + color=yellow; flags+="-" fi if [[ -n "$branch" ]]; then - branch=[%F{${color}}${branch}%F{reset}] + echo " [%F{${color}}${branch}${flags}%F{reset}]" fi - echo " $branch" } precmd() { diff --git a/scripts/moonarch-doctor b/scripts/moonarch-doctor index 36bfea3..5dab0cf 100755 --- a/scripts/moonarch-doctor +++ b/scripts/moonarch-doctor @@ -109,8 +109,11 @@ section "Packages" OFFICIAL="/usr/share/moonarch/official.txt" AUR="/usr/share/moonarch/aur.txt" +# Hoist INSTALLED so the AUR block below can use it even if OFFICIAL is absent — +# otherwise `set -u` aborts the script when $INSTALLED is referenced unset. +INSTALLED=$(pacman -Qq 2>/dev/null) + if [[ -f "$OFFICIAL" ]]; then - INSTALLED=$(pacman -Qq 2>/dev/null) MISSING_OFFICIAL=() while IFS= read -r pkg; do [[ "$pkg" =~ ^[[:space:]]*# ]] && continue