From b9ea6674fbd06e1fe9ba517a218076f947c0c507 Mon Sep 17 00:00:00 2001 From: ZDDC Date: Wed, 20 May 2026 10:21:54 -0500 Subject: [PATCH] build: add /home/user fallback for ZDDC_SIGNING_KEY env file The Forgejo runner is containerized; inside the container $HOME is /var/lib/forgejo-runner (uid 1001's passwd entry), not /home/user. So `$HOME/.config/zddc-signing/env` resolved to the wrong path inside the runner and the fallback I added in b925dc5 silently no-op'd. The runner quadlet bind-mounts /home/user/.config/zddc-signing/ at the same absolute path inside the container, so an additional explicit `/home/user/.config/zddc-signing/env` candidate covers the runner. Order: $HOME first (operator's own shell or another user's setup), then /home/user as the canonical operator location. Verified inside the running container as uid 1001: sourced /home/user/.config/zddc-signing/env ZDDC_SIGNING_KEY=/home/user/.config/zddc-signing/key.pem key readable Co-Authored-By: Claude Opus 4.7 (1M context) --- build | 22 +++++++++++++++++----- 1 file changed, 17 insertions(+), 5 deletions(-) diff --git a/build b/build index ac900e6..ef1d40c 100755 --- a/build +++ b/build @@ -911,11 +911,23 @@ if [ "$RELEASE_CHANNEL" = "stable" ]; then # Source ZDDC_SIGNING_KEY from ~/.config/zddc-signing/env if it # isn't already in env. Mirrors ~/.bashrc's auto-sourcing pattern # for ~/.config/{codeberg,forgejo,github}/env, but inside the - # build script so non-interactive callers (Forgejo runner daemon, - # cron, etc.) pick it up without needing systemd EnvironmentFile - # or workflow yaml. - if [ -z "${ZDDC_SIGNING_KEY:-}" ] && [ -f "$HOME/.config/zddc-signing/env" ]; then - . "$HOME/.config/zddc-signing/env" + # build script so non-interactive callers pick it up without + # needing systemd EnvironmentFile or workflow yaml. + # + # Two candidates: $HOME first (operator's normal shell), then + # /home/user as an explicit fallback for the Forgejo runner + # container — $HOME there is /var/lib/forgejo-runner (uid 1001's + # in-container passwd entry), but the runner quadlet bind-mounts + # /home/user/.config/zddc-signing/ at the same absolute path so + # the operator's single source of truth is visible to the runner. + if [ -z "${ZDDC_SIGNING_KEY:-}" ]; then + for _zsk_env in "$HOME/.config/zddc-signing/env" /home/user/.config/zddc-signing/env; do + if [ -f "$_zsk_env" ]; then + . "$_zsk_env" + break + fi + done + unset _zsk_env fi echo "" echo "=== Signing release artifacts ==="