10 changed files with 26 additions and 56 deletions
--- a/.gitea/workflows/update-pkgver.yaml
+++ b/.gitea/workflows/update-pkgver.yaml
@ -21,8 +21,6 @@ jobs:
          echo "$PKGVER" > /tmp/pkgver
      - name: Update PKGBUILD
        env:
          PKGBUILD_TOKEN: ${{ secrets.PKGBUILD_TOKEN }}
        run: |
          PKGVER=$(cat /tmp/pkgver)
          git clone https://gitea.moonarch.de/nevaforget/moonarch-pkgbuilds.git pkgbuilds
@ -41,12 +39,4 @@ jobs:
          git config user.email "gitea@moonarch.de"
          git add moonarch-git/PKGBUILD
          git commit -m "chore(moonarch-git): bump pkgver to $PKGVER"
-
+          git -c http.extraHeader="Authorization: token ${{ secrets.PKGBUILD_TOKEN }}" push
          # Push via credential helper with a chmod 600 temp file, so the token
          # never appears in /proc/PID/cmdline (as it would with `git -c
          # http.extraHeader=...`).
          CRED_FILE=$(mktemp)
          chmod 600 "$CRED_FILE"
          trap 'rm -f "$CRED_FILE"' EXIT
          printf "https://pkgver-bot:%s@gitea.moonarch.de\n" "$PKGBUILD_TOKEN" > "$CRED_FILE"
          git -c credential.helper="store --file=$CRED_FILE" push
--- a/ci/act-runner/Dockerfile
+++ b/ci/act-runner/Dockerfile
@ -1,10 +1,10 @@
 FROM archlinux:base-devel
 RUN pacman -Sy --noconfirm git curl && pacman -Scc --noconfirm
-RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -S --needed *" >> /etc/sudoers
+RUN useradd -m builder && echo "builder ALL=(ALL) NOPASSWD: /usr/bin/pacman -Sy *, /usr/bin/pacman -S --needed *" >> /etc/sudoers
 ADD https://gitea.com/gitea/act_runner/releases/download/v0.3.1/act_runner-0.3.1-linux-amd64 /usr/local/bin/act_runner
 RUN echo "a05b2103a7cc5617197da214eaa06a1055362f21f9f475eb7fbacb8344d86cf8  /usr/local/bin/act_runner" | sha256sum -c - \
    && chmod +x /usr/local/bin/act_runner
-COPY --from=gitea/act_runner:0.3.1 /usr/local/bin/run.sh /usr/local/bin/run.sh
+COPY --from=gitea/act_runner:latest /usr/local/bin/run.sh /usr/local/bin/run.sh
 RUN mkdir -p /data && chown builder:builder /data
 USER builder
 ENV HOME=/home/builder
--- a/defaults/bin/moonarch-sink-switcher
+++ b/defaults/bin/moonarch-sink-switcher
@ -5,11 +5,7 @@
 # choose audio sink via rofi
 # changes default sink and moves all streams to that sink
-sink=$(pactl list sinks short | awk '{print $1, $2}' | walker -d -p "󱡫 Sink Switcher" | awk '{print $1}')
+sink=$(pactl list sinks short | awk '{print $1, $2}' | walker -d -p "󱡫 Sink Switcher" | awk '{print $1}') &&
 # Walker cancel returns empty — awk masks its non-zero exit. Guard here so we
 # don't call `pactl set-default-sink ""` on dismissal.
 [[ -n "$sink" ]] || exit 0
 pactl set-default-sink "$sink" &&
 for input in $(pactl list sink-inputs short | awk '{print $1}'); do
--- a/defaults/bin/moonarch-vpn
+++ b/defaults/bin/moonarch-vpn
@ -39,13 +39,13 @@ function extract_connection_name() {
 # Requires nm-applet (or another NM secret agent) for interactive auth.
 function connect_vpn() {
    local connection="$1"
-    nmcli connection up -- "$connection"
+    nmcli connection up "$connection"
 }
 # Disconnect a VPN.
 function disconnect_vpn() {
    local connection="$1"
-    nmcli connection down -- "$connection"
+    nmcli connection down "$connection"
 }
 # Toggle the VPN connection based on its current state.
--- a/defaults/bin/moonarch-waybar
+++ b/defaults/bin/moonarch-waybar
@ -51,9 +51,7 @@ if [[ -f "$USERCONFIG" ]]; then
    if [[ ! -f "$OUTPUT" ]] ||
       [[ "$USERCONFIG" -nt "$OUTPUT" ]] ||
       [[ "$SYSTEM_CONFIG" -nt "$OUTPUT" ]]; then
-        # On merge failure the previous $OUTPUT is stale — remove it so waybar
+        merge_config
        # falls back to XDG's system config instead of running with stale merged data.
        merge_config || rm -f "$OUTPUT"
    fi
    bootstrap_style
 fi
--- a/defaults/bin/moonarch-waybar-cpugov
+++ b/defaults/bin/moonarch-waybar-cpugov
@ -2,7 +2,7 @@
 # ABOUTME: Waybar-Modul das den CPU-Governor als JSON ausgibt.
 # ABOUTME: Wird von der Waybar custom/cpugov Config referenziert.
-CPU_GOV=$(cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor 2>/dev/null)
+CPU_GOV=$(cat /sys/devices/system/cpu/cpu0/cpufreq/scaling_governor)
 case $CPU_GOV in
  performance)
--- a/defaults/etc/systemd/system/moonarch-batsaver.service
+++ b/defaults/etc/systemd/system/moonarch-batsaver.service
@ -9,19 +9,7 @@ ConditionPathExists=/var/lib/moonarch/batsaver-threshold
 [Service]
 Type=oneshot
-# Validate the threshold (integer 1–100) before writing. The state file is
+ExecStart=/bin/sh -c 'cat /var/lib/moonarch/batsaver-threshold > /sys/class/power_supply/BAT0/charge_control_end_threshold'
 # written by wheel-group users via moonarch-batsaver-toggle; the kernel rejects
 # non-numeric values on sysfs, but validating here prevents noise on boot and
 # makes the trust boundary explicit.
 ExecStart=/bin/sh -c 'V=$(cat /var/lib/moonarch/batsaver-threshold); case "$V" in ""|*[!0-9]*) exit 0;; esac; [ "$V" -ge 1 ] && [ "$V" -le 100 ] && printf %s "$V" > /sys/class/power_supply/BAT0/charge_control_end_threshold'
 NoNewPrivileges=true
 ProtectHome=true
 PrivateTmp=true
 ProtectKernelModules=true
 ProtectControlGroups=true
 RestrictNamespaces=true
 RestrictRealtime=true
 LockPersonality=true
 [Install]
 WantedBy=multi-user.target
--- a/defaults/shell/zshrc
+++ b/defaults/shell/zshrc
@ -30,25 +30,26 @@ add-zsh-hook preexec _preexec_title
 # --- Prompt (Catppuccin Mocha) ---
 parse_git_branch() {
-    # Gate on cheap check first — spawning git in every non-repo directory on every
+    local branch=""
-    # prompt render costs 20-80ms per prompt. Pattern-match the status output with
+    branch=$(git branch 2> /dev/null | sed -e '/^[^*]/d' -e 's/* \(.*\)/\1/')
-    # zsh glob matching instead of piping to grep for three subshell-spawning checks.
+    local git_status=$(git status --porcelain 2>/dev/null)
-    git rev-parse --git-dir &>/dev/null || return
+    local color=green
-    local branch="" git_status="" color=green flags=""
+    if echo "$git_status" | grep -q "^ M"; then
-    branch=$(git symbolic-ref --short HEAD 2>/dev/null || git rev-parse --short HEAD 2>/dev/null)
+        color=yellow
-    git_status=$(git status --porcelain 2>/dev/null)
+        branch="${branch}*"
    if [[ "$git_status" == *$'\n M '* || "$git_status" == " M "* || "$git_status" == *$'\nM'* ]]; then
        color=yellow; flags+="*"
    fi
-    if [[ "$git_status" == *$'\nA '* || "$git_status" == "A "* || "$git_status" == *'??'* ]]; then
+    if echo "$git_status" | grep -qE "^ A|^\?\?"; then
-        color=yellow; flags+="+"
+        color=yellow
        branch="${branch}+"
    fi
-    if [[ "$git_status" == *$'\n D '* || "$git_status" == " D "* ]]; then
+    if echo "$git_status" | grep -q "^ D"; then
-        color=yellow; flags+="-"
+        color=yellow
        branch="${branch}-"
    fi
    if [[ -n "$branch" ]]; then
-        echo " [%F{${color}}${branch}${flags}%F{reset}]"
+        branch=[%F{${color}}${branch}%F{reset}]
    fi
    echo " $branch"
 }
 precmd() {
--- a/defaults/xdg/waybar/config
+++ b/defaults/xdg/waybar/config
@ -319,7 +319,7 @@
    "custom/gpu-usage": {
        "exec": "moonarch-waybar-gpustat",
        "return-type": "json",
-        "interval": 60
+        "restart-interval": 10
    },
    "battery": {
        "bat": "BAT0",
--- a/scripts/moonarch-doctor
+++ b/scripts/moonarch-doctor
@ -109,11 +109,8 @@ section "Packages"
 OFFICIAL="/usr/share/moonarch/official.txt"
 AUR="/usr/share/moonarch/aur.txt"
 # Hoist INSTALLED so the AUR block below can use it even if OFFICIAL is absent —
 # otherwise `set -u` aborts the script when $INSTALLED is referenced unset.
 INSTALLED=$(pacman -Qq 2>/dev/null)
 if [[ -f "$OFFICIAL" ]]; then
    INSTALLED=$(pacman -Qq 2>/dev/null)
    MISSING_OFFICIAL=()
    while IFS= read -r pkg; do
        [[ "$pkg" =~ ^[[:space:]]*# ]] && continue