nevaforget/moonarch
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

fix: audit MEDIUM fixes — merge fallback, service hardening, CI token

Browse Source 
- moonarch-waybar: on merge failure, remove the stale output so waybar
  falls back to the system config (previously it kept running with stale
  merged data despite the error notification claiming otherwise).
- moonarch-doctor: hoist INSTALLED assignment above both OFFICIAL and AUR
  blocks so the script survives set -u when only aur.txt is present.
- zshrc parse_git_branch: gate on git rev-parse and replace three grep
  subshells with bash pattern matching, cutting prompt latency from
  ~5 subprocesses per render to 2 (status + symbolic-ref).
- moonarch-batsaver.service: validate the threshold is an integer 1-100
  before writing to sysfs, add NoNewPrivileges and protection directives
  instead of relying on kernel validation alone.
- ci/act-runner/Dockerfile: drop the broad "pacman -Sy *" sudoers entry
  (only -S --needed is required by makepkg), and pin run.sh to
  act_runner:0.3.1 so it cannot drift ahead of the pinned binary.
- .gitea/workflows/update-pkgver.yaml: push via credential.helper=store
  with a chmod 600 temp file instead of `git -c http.extraHeader=...`,
  so the token no longer shows up in /proc/PID/cmdline.
This commit is contained in:
nevaforget
2026-04-24 13:15:52 +02:00
parent 89c3a9261e
commit 8aaf7cae5b
6 changed files with 47 additions and 21 deletions
Download Patch File Download Diff File Expand all files Collapse all files
defaults/shell/zshrc
+14 -15
View File
@@ -30,26 +30,25 @@ add-zsh-hook preexec _preexec_title
# --- Prompt (Catppuccin Mocha) ---
parse_git_branch() {
local branch=""
branch=$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')
local git_status=$(git status --porcelain 2>/dev/null)
local color=green
if echo "$git_status" | grep -q "^ M"; then
color=yellow
branch="${branch}*"
# Gate on cheap check first — spawning git in every non-repo directory on every
# prompt render costs 20-80ms per prompt. Pattern-match the status output with
# zsh glob matching instead of piping to grep for three subshell-spawning checks.
git rev-parse --git-dir &>/dev/null || return
local branch="" git_status="" color=green flags=""
branch=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
git_status=$(git status --porcelain 2>/dev/null)
if [[ "$git_status" == *$'\n M '* || "$git_status" == " M "* || "$git_status" == *$'\nM'* ]]; then
color=yellow; flags+="*"
fi
if echo "$git_status" | grep -qE "^ A|^\?\?"; then
color=yellow
branch="${branch}+"
if [[ "$git_status" == *$'\nA '* || "$git_status" == "A "* || "$git_status" == *'??'* ]]; then
color=yellow; flags+="+"
fi
if echo "$git_status" | grep -q "^ D"; then
color=yellow
branch="${branch}-"
if [[ "$git_status" == *$'\n D '* || "$git_status" == " D "* ]]; then
color=yellow; flags+="-"
fi
if [[ -n "$branch" ]]; then
branch=[%F{${color}}${branch}%F{reset}]
echo " [%F{${color}}${branch}${flags}%F{reset}]"
fi
echo " $branch"
}
precmd() {