- moonarch-waybar: on merge failure, remove the stale output so waybar
falls back to the system config (previously it kept running with stale
merged data despite the error notification claiming otherwise).
- moonarch-doctor: hoist INSTALLED assignment above both OFFICIAL and AUR
blocks so the script survives set -u when only aur.txt is present.
- zshrc parse_git_branch: gate on git rev-parse and replace three grep
subshells with bash pattern matching, cutting prompt latency from
~5 subprocesses per render to 2 (status + symbolic-ref).
- moonarch-batsaver.service: validate the threshold is an integer 1-100
before writing to sysfs, add NoNewPrivileges and protection directives
instead of relying on kernel validation alone.
- ci/act-runner/Dockerfile: drop the broad "pacman -Sy *" sudoers entry
(only -S --needed is required by makepkg), and pin run.sh to
act_runner:0.3.1 so it cannot drift ahead of the pinned binary.
- .gitea/workflows/update-pkgver.yaml: push via credential.helper=store
with a chmod 600 temp file instead of `git -c http.extraHeader=...`,
so the token no longer shows up in /proc/PID/cmdline.
The runner image is now built on archlinux:base-devel with git,
curl, makepkg and a non-root builder user baked in. This removes
the need for per-workflow pacman installs and enables host mode.
