diff --git a/scripts/src/agentrun/yaml-lane.ts b/scripts/src/agentrun/yaml-lane.ts index a1cb0f25..b6d4a889 100644 --- a/scripts/src/agentrun/yaml-lane.ts +++ b/scripts/src/agentrun/yaml-lane.ts @@ -498,18 +498,48 @@ export function yamlLaneSourceBootstrapSubmitScript(spec: AgentRunLaneSpec): str `bootstrap_branch=${shQuote(bootstrap)}`, `state_dir=${shQuote(stateDir)}`, "mkdir -p \"$state_dir\" \"$(dirname \"$workspace\")\"", - "case \"$remote\" in", - " git@*:*)", - " mkdir -p \"$HOME/.ssh\"", - " chmod 700 \"$HOME/.ssh\" 2>/dev/null || true", - " export GIT_SSH_COMMAND=${GIT_SSH_COMMAND:-ssh -o StrictHostKeyChecking=accept-new}", - " ;;", - " ssh://*)", - " mkdir -p \"$HOME/.ssh\"", - " chmod 700 \"$HOME/.ssh\" 2>/dev/null || true", - " export GIT_SSH_COMMAND=${GIT_SSH_COMMAND:-ssh -o StrictHostKeyChecking=accept-new}", + "git_user=''", + "git_home=''", + "case \"$workspace\" in", + " /home/*/*)", + " git_user=${workspace#/home/}", + " git_user=${git_user%%/*}", + " git_home=/home/$git_user", + " if ! id \"$git_user\" >/dev/null 2>&1; then git_user=''; git_home=''; fi", " ;;", "esac", + "if [ -n \"$git_user\" ]; then chown \"$git_user:$git_user\" \"$(dirname \"$workspace\")\" 2>/dev/null || true; fi", + "case \"$remote\" in", + " git@*:*)", + " if [ -n \"$git_user\" ] && [ -f \"$git_home/.ssh/id_ed25519\" ]; then", + " if [ -z \"${GIT_SSH_COMMAND:-}\" ]; then GIT_SSH_COMMAND=\"ssh -i $git_home/.ssh/id_ed25519 -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=$git_home/.ssh/known_hosts\"; fi", + " export GIT_SSH_COMMAND", + " else", + " mkdir -p \"$HOME/.ssh\"", + " chmod 700 \"$HOME/.ssh\" 2>/dev/null || true", + " if [ -z \"${GIT_SSH_COMMAND:-}\" ]; then GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=accept-new\"; fi", + " export GIT_SSH_COMMAND", + " fi", + " ;;", + " ssh://*)", + " if [ -n \"$git_user\" ] && [ -f \"$git_home/.ssh/id_ed25519\" ]; then", + " if [ -z \"${GIT_SSH_COMMAND:-}\" ]; then GIT_SSH_COMMAND=\"ssh -i $git_home/.ssh/id_ed25519 -o IdentitiesOnly=yes -o StrictHostKeyChecking=accept-new -o UserKnownHostsFile=$git_home/.ssh/known_hosts\"; fi", + " export GIT_SSH_COMMAND", + " else", + " mkdir -p \"$HOME/.ssh\"", + " chmod 700 \"$HOME/.ssh\" 2>/dev/null || true", + " if [ -z \"${GIT_SSH_COMMAND:-}\" ]; then GIT_SSH_COMMAND=\"ssh -o StrictHostKeyChecking=accept-new\"; fi", + " export GIT_SSH_COMMAND", + " fi", + " ;;", + "esac", + "git_cmd() {", + " if [ -n \"$git_user\" ]; then", + " sudo -u \"$git_user\" env HOME=\"$git_home\" GIT_SSH_COMMAND=\"$GIT_SSH_COMMAND\" git \"$@\"", + " else", + " git \"$@\"", + " fi", + "}", "job_id=\"source-bootstrap-$(date +%s)-$$\"", "status_file=\"$state_dir/$job_id.json\"", "stdout_file=\"$state_dir/$job_id.stdout.log\"", @@ -525,28 +555,28 @@ export function yamlLaneSourceBootstrapSubmitScript(spec: AgentRunLaneSpec): str "NODE", " fi; exit \"$code\"; }", " trap write_failed_status EXIT", - " if [ -d \"$workspace/.git\" ] && git -C \"$workspace\" rev-parse --git-dir >/dev/null 2>&1; then", + " if [ -d \"$workspace/.git\" ] && git_cmd -C \"$workspace\" rev-parse --git-dir >/dev/null 2>&1; then", " :", " else", " rm -rf \"$workspace\"", - " git clone --no-checkout \"$remote\" \"$workspace\"", + " git_cmd clone --no-checkout \"$remote\" \"$workspace\"", " fi", " cd \"$workspace\"", - " git remote set-url origin \"$remote\" || git remote add origin \"$remote\"", - " git fetch origin \"$bootstrap_branch\" \"$branch\" || git fetch origin \"$bootstrap_branch\"", - " if git rev-parse --verify \"refs/remotes/origin/$branch^{commit}\" >/dev/null 2>&1; then", - " git checkout -B \"$branch\" \"refs/remotes/origin/$branch\"", + " git_cmd remote set-url origin \"$remote\" || git_cmd remote add origin \"$remote\"", + " git_cmd fetch origin \"$bootstrap_branch\" \"$branch\" || git_cmd fetch origin \"$bootstrap_branch\"", + " if git_cmd rev-parse --verify \"refs/remotes/origin/$branch^{commit}\" >/dev/null 2>&1; then", + " git_cmd checkout -B \"$branch\" \"refs/remotes/origin/$branch\"", " else", - " git checkout -B \"$branch\" \"refs/remotes/origin/$bootstrap_branch\"", + " git_cmd checkout -B \"$branch\" \"refs/remotes/origin/$bootstrap_branch\"", " fi", " if [ -f deploy/deploy.json ]; then rm deploy/deploy.json; fi", - " git add -A deploy/deploy.json 2>/dev/null || true", - " if ! git diff --quiet --cached -- deploy/deploy.json 2>/dev/null; then", - " git -c user.email=agentrun@unidesk.local -c user.name='UniDesk AgentRun Ops' commit -m 'chore: remove service deploy json truth'", + " git_cmd add -A deploy/deploy.json 2>/dev/null || true", + " if ! git_cmd diff --quiet --cached -- deploy/deploy.json 2>/dev/null; then", + " git_cmd -c user.email=agentrun@unidesk.local -c user.name='UniDesk AgentRun Ops' commit -m 'chore: remove service deploy json truth'", " fi", - " git push -u origin \"$branch\"", - " source_commit=$(git rev-parse HEAD)", - " status_short=$(git status --short)", + " git_cmd push -u origin \"$branch\"", + " source_commit=$(git_cmd rev-parse HEAD)", + " status_short=$(git_cmd status --short)", " SOURCE_COMMIT=\"$source_commit\" STATUS_SHORT=\"$status_short\" JOB_ID=\"$job_id\" WORKSPACE=\"$workspace\" BRANCH=\"$branch\" node <<'NODE' > \"$status_file\"", "console.log(JSON.stringify({ ok: process.env.STATUS_SHORT === '', status: 'succeeded', jobId: process.env.JOB_ID, workspace: process.env.WORKSPACE, branch: process.env.BRANCH, sourceCommit: process.env.SOURCE_COMMIT, workspaceClean: process.env.STATUS_SHORT === '', statusShort: process.env.STATUS_SHORT || null, removedServiceDeployJson: true, valuesPrinted: false }));", "NODE",