VARASYS/ZDDC
1
1
Fork 0
Code Issues Pull requests Projects Releases Packages Wiki Activity Actions

build: add /home/user fallback for ZDDC_SIGNING_KEY env file

Browse source 
The Forgejo runner is containerized; inside the container $HOME is
/var/lib/forgejo-runner (uid 1001's passwd entry), not /home/user.
So `$HOME/.config/zddc-signing/env` resolved to the wrong path inside
the runner and the fallback I added in b925dc5 silently no-op'd.

The runner quadlet bind-mounts /home/user/.config/zddc-signing/ at
the same absolute path inside the container, so an additional
explicit `/home/user/.config/zddc-signing/env` candidate covers
the runner. Order: $HOME first (operator's own shell or another
user's setup), then /home/user as the canonical operator location.

Verified inside the running container as uid 1001:
  sourced /home/user/.config/zddc-signing/env
  ZDDC_SIGNING_KEY=/home/user/.config/zddc-signing/key.pem
  key readable

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>
This commit is contained in:
ZDDC 2026-05-20 10:21:54 -05:00
parent b925dc56ce
commit b9ea6674fb
1 changed files with 17 additions and 5 deletions
Show stats Download patch file Download diff file Expand all files Collapse all files

22
build
View file

@ -911,11 +911,23 @@ if [ "$RELEASE_CHANNEL" = "stable" ]; then
# Source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env if it
# isn't already in env. Mirrors ~/.bashrc's auto-sourcing pattern
# for ~/.config/{codeberg,forgejo,github}/env, but inside the
# build script so non-interactive callers (Forgejo runner daemon,
# cron, etc.) pick it up without needing systemd EnvironmentFile
# or workflow yaml.
if [ -z "${ZDDC_SIGNING_KEY:-}" ] && [ -f "$HOME/.config/zddc-signing/env" ]; then
. "$HOME/.config/zddc-signing/env"
# build script so non-interactive callers pick it up without
# needing systemd EnvironmentFile or workflow yaml.
#
# Two candidates: $HOME first (operator's normal shell), then
# /home/user as an explicit fallback for the Forgejo runner
# container — $HOME there is /var/lib/forgejo-runner (uid 1001's
# in-container passwd entry), but the runner quadlet bind-mounts
# /home/user/.config/zddc-signing/ at the same absolute path so
# the operator's single source of truth is visible to the runner.
if [ -z "${ZDDC_SIGNING_KEY:-}" ]; then
for _zsk_env in "$HOME/.config/zddc-signing/env" /home/user/.config/zddc-signing/env; do
if [ -f "$_zsk_env" ]; then
. "$_zsk_env"
break
fi
done
unset _zsk_env
fi
echo ""
echo "=== Signing release artifacts ==="