From 8aaf7cae5bcbbc4f9a305e61cf01410c1e184c36 Mon Sep 17 00:00:00 2001 From: nevaforget Date: Fri, 24 Apr 2026 13:15:52 +0200 Subject: [PATCH] =?UTF-8?q?fix:=20audit=20MEDIUM=20fixes=20=E2=80=94=20mer?= =?UTF-8?q?ge=20fallback,=20service=20hardening,=20CI=20token?= MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit - moonarch-waybar: on merge failure, remove the stale output so waybar falls back to the system config (previously it kept running with stale merged data despite the error notification claiming otherwise). - moonarch-doctor: hoist INSTALLED assignment above both OFFICIAL and AUR blocks so the script survives set -u when only aur.txt is present. - zshrc parse_git_branch: gate on git rev-parse and replace three grep subshells with bash pattern matching, cutting prompt latency from ~5 subprocesses per render to 2 (status + symbolic-ref). - moonarch-batsaver.service: validate the threshold is an integer 1-100 before writing to sysfs, add NoNewPrivileges and protection directives instead of relying on kernel validation alone. - ci/act-runner/Dockerfile: drop the broad "pacman -Sy *" sudoers entry (only -S --needed is required by makepkg), and pin run.sh to act_runner:0.3.1 so it cannot drift ahead of the pinned binary. - .gitea/workflows/update-pkgver.yaml: push via credential.helper=store with a chmod 600 temp file instead of `git -c http.extraHeader=...`, so the token no longer shows up in /proc/PID/cmdline. --- .gitea/workflows/update-pkgver.yaml | 12 +++++++- ci/act-runner/Dockerfile | 4 +-- defaults/bin/moonarch-waybar | 4 ++- .../systemd/system/moonarch-batsaver.service | 14 ++++++++- defaults/shell/zshrc | 29 +++++++++---------- scripts/moonarch-doctor | 5 +++- 6 files changed, 47 insertions(+), 21 deletions(-) diff --git a/.gitea/workflows/update-pkgver.yaml b/.gitea/workflows/update-pkgver.yaml index 0ccf5a2..bc0962c 100644 --- a/.gitea/workflows/update-pkgver.yaml +++ b/.gitea/workflows/update-pkgver.yaml @@ -21,6 +21,8 @@ jobs: echo "$PKGVER" > /tmp/pkgver - name: Update PKGBUILD + env: + PKGBUILD_TOKEN: ${{ secrets.PKGBUILD_TOKEN }} run: | PKGVER=$(cat /tmp/pkgver) git clone https://gitea.moonarch.de/nevaforget/moonarch-pkgbuilds.git pkgbuilds @@ -39,4 +41,12 @@ jobs: git config user.email "gitea@moonarch.de" git add moonarch-git/PKGBUILD git commit -m "chore(moonarch-git): bump pkgver to $PKGVER" - git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push + + # Push via credential helper with a chmod 600 temp file, so the token + # never appears in /proc/PID/cmdline (as it would with `git -c + # http.extraHeader=...`). + CRED_FILE=$(mktemp) + chmod 600 "$CRED_FILE" + trap 'rm -f "$CRED_FILE"' EXIT + printf "https://pkgver-bot:%s@gitea.moonarch.de\n" "$PKGBUILD_TOKEN" > "$CRED_FILE" + git -c credential.helper="store --file=$CRED_FILE" push diff --git a/ci/act-runner/Dockerfile b/ci/act-runner/Dockerfile index 2094e83..e9b0543 100644 --- a/ci/act-runner/Dockerfile +++ b/ci/act-runner/Dockerfile @@ -1,10 +1,10 @@ FROM archlinux:base-devel RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm -RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -Sy *, /usr/bin/pacman -S --needed *" >> /etc/sudoers +RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -S --needed *" >> /etc/sudoers ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner RUN echo "a05b2103a7cc5617197da214eaa06a1055362f21f9f475eb7fbacb8344d86cf8 /usr/local/bin/act_runner" | sha256sum -c - \ && chmod +x /usr/local/bin/act_runner -COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh +COPY --from=gitea/act_runner:0.3.1 /usr/local/bin/run.sh /usr/local/bin/run.sh RUN mkdir -p /data && chown builder:builder /data USER builder ENV HOME=/home/builder diff --git a/defaults/bin/moonarch-waybar b/defaults/bin/moonarch-waybar index 3d3f446..d93e741 100755 --- a/defaults/bin/moonarch-waybar +++ b/defaults/bin/moonarch-waybar @@ -51,7 +51,9 @@ if [[ -f "$USERCONFIG" ]]; then if [[ ! -f "$OUTPUT" ]] || [[ "$USERCONFIG" -nt "$OUTPUT" ]] || [[ "$SYSTEM_CONFIG" -nt "$OUTPUT" ]]; then - merge_config + # On merge failure the previous $OUTPUT is stale — remove it so waybar + # falls back to XDG's system config instead of running with stale merged data. + merge_config || rm -f "$OUTPUT" fi bootstrap_style fi diff --git a/defaults/etc/systemd/system/moonarch-batsaver.service b/defaults/etc/systemd/system/moonarch-batsaver.service index 8f1a2b7..ca43982 100644 --- a/defaults/etc/systemd/system/moonarch-batsaver.service +++ b/defaults/etc/systemd/system/moonarch-batsaver.service @@ -9,7 +9,19 @@ ConditionPathExists=/var/lib/moonarch/batsaver-threshold [Service] Type=oneshot -ExecStart=/bin/sh -c 'cat /var/lib/moonarch/batsaver-threshold > /sys/class/power_supply/BAT0/charge_control_end_threshold' +# Validate the threshold (integer 1–100) before writing. The state file is +# written by wheel-group users via moonarch-batsaver-toggle; the kernel rejects +# non-numeric values on sysfs, but validating here prevents noise on boot and +# makes the trust boundary explicit. +ExecStart=/bin/sh -c 'V=$(cat /var/lib/moonarch/batsaver-threshold); case "$V" in ""|*[!0-9]*) exit 0;; esac; [ "$V" -ge 1 ] && [ "$V" -le 100 ] && printf %s "$V" > /sys/class/power_supply/BAT0/charge_control_end_threshold' +NoNewPrivileges=true +ProtectHome=true +PrivateTmp=true +ProtectKernelModules=true +ProtectControlGroups=true +RestrictNamespaces=true +RestrictRealtime=true +LockPersonality=true [Install] WantedBy=multi-user.target diff --git a/defaults/shell/zshrc b/defaults/shell/zshrc index 23d61a6..5d79955 100644 --- a/defaults/shell/zshrc +++ b/defaults/shell/zshrc @@ -30,26 +30,25 @@ add-zsh-hook preexec _preexec_title # --- Prompt (Catppuccin Mocha) --- parse_git_branch() { - local branch="" - branch=$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/') - local git_status=$(git status --porcelain 2>/dev/null) - local color=green - if echo "$git_status" | grep -q "^ M"; then - color=yellow - branch="${branch}*" + # Gate on cheap check first — spawning git in every non-repo directory on every + # prompt render costs 20-80ms per prompt. Pattern-match the status output with + # zsh glob matching instead of piping to grep for three subshell-spawning checks. + git rev-parse --git-dir &>/dev/null || return + local branch="" git_status="" color=green flags="" + branch=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --short HEAD 2>/dev/null) + git_status=$(git status --porcelain 2>/dev/null) + if [[ "$git_status" == *$'\n M '* || "$git_status" == " M "* || "$git_status" == *$'\nM'* ]]; then + color=yellow; flags+="*" fi - if echo "$git_status" | grep -qE "^ A|^\?\?"; then - color=yellow - branch="${branch}+" + if [[ "$git_status" == *$'\nA '* || "$git_status" == "A "* || "$git_status" == *'??'* ]]; then + color=yellow; flags+="+" fi - if echo "$git_status" | grep -q "^ D"; then - color=yellow - branch="${branch}-" + if [[ "$git_status" == *$'\n D '* || "$git_status" == " D "* ]]; then + color=yellow; flags+="-" fi if [[ -n "$branch" ]]; then - branch=[%F{${color}}${branch}%F{reset}] + echo " [%F{${color}}${branch}${flags}%F{reset}]" fi - echo " $branch" } precmd() { diff --git a/scripts/moonarch-doctor b/scripts/moonarch-doctor index 36bfea3..5dab0cf 100755 --- a/scripts/moonarch-doctor +++ b/scripts/moonarch-doctor @@ -109,8 +109,11 @@ section "Packages" OFFICIAL="/usr/share/moonarch/official.txt" AUR="/usr/share/moonarch/aur.txt" +# Hoist INSTALLED so the AUR block below can use it even if OFFICIAL is absent — +# otherwise `set -u` aborts the script when $INSTALLED is referenced unset. +INSTALLED=$(pacman -Qq 2>/dev/null) + if [[ -f "$OFFICIAL" ]]; then - INSTALLED=$(pacman -Qq 2>/dev/null) MISSING_OFFICIAL=() while IFS= read -r pkg; do [[ "$pkg" =~ ^[[:space:]]*# ]] && continue