diff --git a/scripts/ci/priv.sh b/scripts/ci/priv.sh new file mode 100644 index 0000000..043ce54 --- /dev/null +++ b/scripts/ci/priv.sh @@ -0,0 +1,14 @@ +# shellcheck shell=sh +# Sourced by scripts/ci/*.sh — run commands as root when sudo is missing (e.g. Docker, act). +# Usage: . "$(dirname "$0")/priv.sh" + +run_priv() { + if [ "$(id -u)" -eq 0 ]; then + "$@" + elif command -v sudo >/dev/null 2>&1; then + sudo "$@" + else + echo "run_priv: need root or sudo for: $*" >&2 + exit 1 + fi +} diff --git a/scripts/ci/setup-cosign.sh b/scripts/ci/setup-cosign.sh index 9966c6f..97b623d 100755 --- a/scripts/ci/setup-cosign.sh +++ b/scripts/ci/setup-cosign.sh @@ -3,6 +3,8 @@ # Usage: setup-cosign.sh [version] set -eu +. "$(dirname "$0")/priv.sh" + COSIGN_VERSION="${1:-3.0.5}" ARCH="$(uname -m)" @@ -27,6 +29,6 @@ if [ -z "$EXPECTED" ] || [ "$EXPECTED" != "$ACTUAL" ]; then exit 1 fi -sudo install -m 0755 /tmp/cosign /usr/local/bin/cosign +run_priv install -m 0755 /tmp/cosign /usr/local/bin/cosign rm -f /tmp/cosign /tmp/cosign-checksums.txt cosign version diff --git a/scripts/ci/setup-docker.sh b/scripts/ci/setup-docker.sh index 6e2ba12..97b93e2 100755 --- a/scripts/ci/setup-docker.sh +++ b/scripts/ci/setup-docker.sh @@ -6,13 +6,15 @@ # or set REGISTRY, REGISTRY_USERNAME, REGISTRY_PASSWORD env vars. set -eu +. "$(dirname "$0")/priv.sh" + REGISTRY="${1:-${REGISTRY:-}}" USERNAME="${2:-${REGISTRY_USERNAME:-}}" PASSWORD="${3:-${REGISTRY_PASSWORD:-}}" echo "Registering QEMU binfmt handlers" -sudo apt-get update -qq -sudo apt-get install -y -qq qemu-user-static binfmt-support +run_priv apt-get update -qq +run_priv apt-get install -y -qq qemu-user-static binfmt-support echo "Creating Docker Buildx builder" docker buildx create --name multiarch --driver docker-container --use diff --git a/scripts/ci/setup-java.sh b/scripts/ci/setup-java.sh index d22c2ba..4cc6bcd 100755 --- a/scripts/ci/setup-java.sh +++ b/scripts/ci/setup-java.sh @@ -6,6 +6,8 @@ # Usage: setup-java.sh [major_version] set -eu +. "$(dirname "$0")/priv.sh" + JAVA_VERSION="${1:-17}" ARCH="$(uname -m)" @@ -51,8 +53,8 @@ if [ -n "$CHECKSUM_URL" ]; then echo "Cross-verified against checksum_link" fi -sudo mkdir -p /opt/java -sudo tar -xzf /tmp/jdk.tar.gz -C /opt/java --strip-components=1 +run_priv mkdir -p /opt/java +run_priv tar -xzf /tmp/jdk.tar.gz -C /opt/java --strip-components=1 rm -f /tmp/jdk.tar.gz CI_ENV="${GITEA_ENV:-${GITHUB_ENV:-/dev/null}}" diff --git a/scripts/ci/setup-node.sh b/scripts/ci/setup-node.sh index 7cb8395..a3775ee 100755 --- a/scripts/ci/setup-node.sh +++ b/scripts/ci/setup-node.sh @@ -4,6 +4,8 @@ # Usage: setup-node.sh [major_version] set -eu +. "$(dirname "$0")/priv.sh" + NODE_MAJOR="${1:-24}" ARCH="$(uname -m)" @@ -43,7 +45,7 @@ if [ -z "$EXPECTED" ] || [ "$EXPECTED" != "$ACTUAL" ]; then fi echo "SHA256 verified: ${ACTUAL}" -sudo tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 +run_priv tar -xJf /tmp/node.tar.xz -C /usr/local --strip-components=1 rm -f /tmp/node.tar.xz /tmp/node-shasums.txt export PATH="/usr/local/bin:$PATH" diff --git a/scripts/ci/setup-python.sh b/scripts/ci/setup-python.sh index 03ee371..92d3ad6 100755 --- a/scripts/ci/setup-python.sh +++ b/scripts/ci/setup-python.sh @@ -6,6 +6,8 @@ # version: exact (3.13.9) or minor (3.13, resolved to latest patch). set -eu +. "$(dirname "$0")/priv.sh" + PY_INPUT="${1:-3.13}" CURRENT="$(python3 --version 2>/dev/null | sed 's/Python //')" || true @@ -37,8 +39,8 @@ fi echo "Building Python ${PY_VERSION} from source (python.org)" -sudo apt-get update -qq -sudo apt-get install -y -qq \ +run_priv apt-get update -qq +run_priv apt-get install -y -qq \ build-essential gnupg curl \ libssl-dev zlib1g-dev libbz2-dev libreadline-dev \ libsqlite3-dev libffi-dev liblzma-dev libncurses-dev > /dev/null 2>&1 @@ -85,10 +87,10 @@ cd "Python-${PY_VERSION}" BUILD_LOG="/tmp/python-build.log" ./configure --prefix=/usr/local --with-ensurepip=install > "$BUILD_LOG" 2>&1 make -j"$(nproc)" >> "$BUILD_LOG" 2>&1 -sudo make install >> "$BUILD_LOG" 2>&1 +run_priv make install >> "$BUILD_LOG" 2>&1 -sudo ln -sf /usr/local/bin/python3 /usr/local/bin/python -sudo ln -sf /usr/local/bin/pip3 /usr/local/bin/pip +run_priv ln -sf /usr/local/bin/python3 /usr/local/bin/python +run_priv ln -sf /usr/local/bin/pip3 /usr/local/bin/pip cd / rm -rf "/tmp/${TARBALL}" "/tmp/${TARBALL}.asc" "/tmp/Python-${PY_VERSION}" "$BUILD_LOG" diff --git a/scripts/ci/setup-task.sh b/scripts/ci/setup-task.sh index f2534e5..bdafb9a 100755 --- a/scripts/ci/setup-task.sh +++ b/scripts/ci/setup-task.sh @@ -4,6 +4,8 @@ # Usage: setup-task.sh [version] set -eu +. "$(dirname "$0")/priv.sh" + TASK_VERSION="${1:-3.49.1}" ARCH="$(uname -m)" @@ -31,7 +33,7 @@ if [ -z "$EXPECTED" ] || [ "$EXPECTED" != "$ACTUAL" ]; then fi echo "SHA256 verified: ${ACTUAL}" -sudo tar -xzf /tmp/task.tar.gz -C /usr/local/bin task +run_priv tar -xzf /tmp/task.tar.gz -C /usr/local/bin task rm -f /tmp/task.tar.gz /tmp/task-checksums.txt task --version