Skip to content

Commit 465913d

Browse files
syscod3syscod3
committed
fix ci shell compatibility and non-interactive security checks
1 parent e58841d commit 465913d

1 file changed

Lines changed: 17 additions & 17 deletions

File tree

mise.toml

Lines changed: 17 additions & 17 deletions
Original file line numberDiff line numberDiff line change
@@ -9,28 +9,28 @@ run = "echo 'check complete'"
99
[tasks.fmt]
1010
description = "Format Nix files"
1111
run = '''
12-
set -euo pipefail
12+
set -eu
1313
nix fmt
1414
'''
1515

1616
[tasks.fmt-check]
1717
description = "Check Nix formatting"
1818
run = '''
19-
set -euo pipefail
19+
set -eu
2020
nix fmt -- --check .
2121
'''
2222

2323
[tasks.flake-check]
2424
description = "Run flake checks without building heavy outputs"
2525
run = '''
26-
set -euo pipefail
26+
set -eu
2727
nix flake check --no-build
2828
'''
2929

3030
[tasks.build-dryrun]
3131
description = "Dry-run build for canonical host configs"
3232
run = '''
33-
set -euo pipefail
33+
set -eu
3434
nix build .#nixosConfigurations.bit.config.system.build.toplevel --dry-run
3535
'''
3636

@@ -42,18 +42,18 @@ run = "echo 'validation complete'"
4242
[tasks.ci-security]
4343
description = "CI security checks"
4444
run = '''
45-
set -euo pipefail
45+
set -eu
4646
python3 -m pip install --quiet detect-secrets
4747
48-
detect-secrets scan --baseline .secrets.baseline
49-
detect-secrets audit .secrets.baseline
48+
python3 -m detect_secrets scan --baseline .secrets.baseline
49+
python3 -m detect_secrets.pre_commit_hook --baseline .secrets.baseline $(git ls-files)
5050
5151
if grep -rE "(password|secret|token|api_key|private_key)\\s*=\\s*['\\\"]\\S+" . --include="*.nix" | grep -v ".github"; then
5252
echo "Error: Found potential hardcoded secrets. Use sops-nix for secrets!"
5353
exit 1
5454
fi
5555
56-
if find . -type f -exec grep -l "BEGIN.*PRIVATE KEY" {} \\; | grep -v ".secrets.baseline"; then
56+
if find . -type f -exec grep -lE -- "-----BEGIN [A-Z ]*PRIVATE KEY-----" {} \; | grep -v ".secrets.baseline"; then
5757
echo "Error: Found private keys in repository!"
5858
exit 1
5959
fi
@@ -62,62 +62,62 @@ fi
6262
[tasks.update]
6363
description = "Update flake inputs"
6464
run = '''
65-
set -euo pipefail
65+
set -eu
6666
./scripts/mise/update.sh
6767
'''
6868

6969
[tasks.deploy]
7070
description = "Deploy to host (set HOST=<name>)"
7171
run = '''
72-
set -euo pipefail
72+
set -eu
7373
./scripts/mise/deploy.sh
7474
'''
7575

7676
[tasks.deploy-all]
7777
description = "Deploy to standard host set"
7878
run = '''
79-
set -euo pipefail
79+
set -eu
8080
./scripts/mise/deploy-all.sh
8181
'''
8282

8383
[tasks.pull-deploy]
8484
description = "git pull then deploy (set HOST=<name>)"
8585
run = '''
86-
set -euo pipefail
86+
set -eu
8787
./scripts/mise/pull-deploy.sh
8888
'''
8989

9090
[tasks.sync-remote]
9191
description = "Sync changed files from remote host (set HOST=<name>)"
9292
run = '''
93-
set -euo pipefail
93+
set -eu
9494
./scripts/mise/sync-remote.sh
9595
'''
9696

9797
[tasks.remote-push]
9898
description = "Commit/push from remote host via agent forwarding (HOST, optional BRANCH)"
9999
run = '''
100-
set -euo pipefail
100+
set -eu
101101
./scripts/mise/remote-push.sh
102102
'''
103103

104104
[tasks.secrets]
105105
description = "Edit encrypted secrets (optional FILE=secrets/...yaml)"
106106
run = '''
107-
set -euo pipefail
107+
set -eu
108108
./scripts/mise/secrets-edit.sh
109109
'''
110110

111111
[tasks.secrets-view]
112112
description = "View decrypted secrets (optional FILE=secrets/...yaml)"
113113
run = '''
114-
set -euo pipefail
114+
set -eu
115115
./scripts/mise/secrets-view.sh
116116
'''
117117

118118
[tasks.secrets-update]
119119
description = "Run sops updatekeys on secrets/*.yaml"
120120
run = '''
121-
set -euo pipefail
121+
set -eu
122122
./scripts/mise/secrets-update.sh
123123
'''

0 commit comments

Comments
 (0)