refactor(ci): replace sudo commands with exec-priv.sh for improved privilege handling in CI workflows

2026-05-19 03:47:24 +00:00 · 2026-04-01 11:00:29 +03:00
parent 242325b0d2
commit d5e4afc42b
6 changed files with 19 additions and 12 deletions
@@ -63,8 +63,8 @@ jobs:

            - name: Install system dependencies
              run: |
-                  sudo apt-get update
-                  sudo apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng cmake ninja-build clang pkg-config
+                  sh scripts/ci/exec-priv.sh apt-get update
+                  sh scripts/ci/exec-priv.sh apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng cmake ninja-build clang pkg-config

            - name: Setup Task
              run: sh scripts/ci/setup-task.sh
@@ -47,9 +47,9 @@ jobs:

            - name: Install system dependencies
              run: |
-                  sudo dpkg --add-architecture i386
-                  sudo apt-get update
-                  sudo apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils appstream appstream-util
+                  sh scripts/ci/exec-priv.sh dpkg --add-architecture i386
+                  sh scripts/ci/exec-priv.sh apt-get update
+                  sh scripts/ci/exec-priv.sh apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils appstream appstream-util

            - name: Setup Task
              run: sh scripts/ci/setup-task.sh
@@ -86,9 +86,9 @@ jobs:

            - name: Install system dependencies
              run: |
-                  sudo dpkg --add-architecture i386
-                  sudo apt-get update
-                  sudo apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils
+                  sh scripts/ci/exec-priv.sh dpkg --add-architecture i386
+                  sh scripts/ci/exec-priv.sh apt-get update
+                  sh scripts/ci/exec-priv.sh apt-get install -y patchelf libopusfile0 ffmpeg espeak-ng zip rpm elfutils

            - name: Setup Task
              run: sh scripts/ci/setup-task.sh
@@ -133,7 +133,7 @@ jobs:

                  # Generate SBOM (CycloneDX)
                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y
                  trivy fs --format cyclonedx --include-dev-deps --output release-assets/sbom.cyclonedx.json .

                  # Generate checksums
@@ -44,7 +44,7 @@ jobs:
            - name: Download Trivy
              run: |
                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y

            - name: Trivy FS scan
              run: trivy fs --exit-code 1 .
@@ -100,7 +100,7 @@ jobs:
            - name: Download Trivy
              run: |
                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y

            - name: Trivy FS scan
              run: trivy fs --exit-code 1 .
@@ -52,7 +52,7 @@ jobs:
            - name: Download Trivy
              run: |
                  curl -L -o /tmp/trivy.deb https://git.quad4.io/Quad4-Software/Trivy-Assets/raw/commit/fdfe96b77d2f7b7f5a90cea00af5024c9f728f17/trivy_0.69.3_Linux-64bit.deb
-                  sudo dpkg -i /tmp/trivy.deb || sudo apt-get install -f -y
+                  sh scripts/ci/exec-priv.sh dpkg -i /tmp/trivy.deb || sh scripts/ci/exec-priv.sh apt-get install -f -y

            - name: Trivy FS scan
              run: trivy fs --exit-code 1 --skip-dirs .pnpm-store .
@@ -0,0 +1,7 @@
+#!/bin/sh
+# Run a command with root privileges: use sudo only when not root (Docker/act often have no sudo).
+# Usage: sh scripts/ci/exec-priv.sh apt-get update
+set -eu
+
+. "$(dirname "$0")/priv.sh"
+run_priv "$@"