testsAndMisc/hosts/guard/pacman-hooks/pacman-post-relock-hosts.sh
Copilot faff8ba349 Fix shell script formatting and add PR workflow validation (#3)
* Initial plan

* fix: format shell scripts with shfmt (convert tabs to 2 spaces)

Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>

* feat: enhance shell-check workflow for PR pre-merge validation

- Add pull_request_target trigger to check PRs from forks
- Add explicit failure message with instructions
- Create BRANCH_PROTECTION.md with setup guide
- Ensure workflow runs on all PRs targeting main/master

Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>

* refactor: improve workflow security and remove redundant exit code

- Remove pull_request_target to avoid executing untrusted fork code
- Remove redundant exit 1 from failure step
- Update documentation to reflect changes
- Standard pull_request trigger handles forks securely

Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>

---------

Co-authored-by: copilot-swe-agent[bot] <198982749+Copilot@users.noreply.github.com>
Co-authored-by: kuhyx <147418882+kuhyx@users.noreply.github.com>
2026-01-07 22:52:20 +01:00

32 lines
670 B
Bash

#!/usr/bin/env bash
# pacman-post-relock-hosts.sh - Re-apply hosts guard protections after pacman
set -euo pipefail
# Source shared functions
SCRIPT_DIR="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
# shellcheck source=hosts-guard-common.sh
source "$SCRIPT_DIR/hosts-guard-common.sh"
ENFORCE=/usr/local/sbin/enforce-hosts.sh
log_hook "post" "relocking(start)"
# Collapse any stacked mounts first
collapse_mounts
# Run enforcement script if available
if [[ -x $ENFORCE ]]; then
"$ENFORCE" > /dev/null 2>&1 || true
fi
# Apply protections
apply_immutable
apply_ro_bind_mount
# Start the path watcher
start_path_watcher
log_hook "post" "relocking(done)"
exit 0