tangled.org / core
Monorepo for Tangled tangled.org
2
Fork 66

Configure Feed

Select the types of activity you want to include in your feed.

hook: use absolute binary path; skip inaccessible repos in secure mode

author
Anirudh Oppiliappan committer
Tangled date (Jun 12, 2026, 12:22 PM +0300) commit 388e28a4 parent 1837dd11 change-id tpnrvxrt
+19 -2
+19 -2
hook/setup.go
··· 74 74 } 75 75 76 76 userPath := filepath.Join(config.scanPath, did) 77 + if _, err := os.Stat(userPath); errors.Is(err, fs.ErrPermission) { 78 + slog.Warn("hook setup: skipping inaccessible repo", "path", userPath) 79 + continue 80 + } 77 81 if err := SetupRepo(config, userPath); err != nil { 78 82 if errors.Is(err, ErrNoGitRepo) { 79 83 slog.Warn("hook setup: skipping non-repo entry", "path", userPath, "err", err) ··· 111 115 } 112 116 113 117 func mkHook(config config, hookPath string) error { 118 + // use the absolute path to the underlying binary rather than a bare 119 + // `knot` lookup. on NixOS, bare `knot` resolves to /run/wrappers/bin/knot 120 + // which has restrictive perms (only the git group can exec it), so hooks 121 + // running as a virtual UID fail with EACCES. the underlying binary in 122 + // /nix/store is world-readable. hooks are regenerated on every deploy 123 + // so the store path stays fresh. 114 124 executablePath, err := os.Executable() 115 125 if err != nil { 116 126 return err ··· 126 136 %s hook -git-dir "$GIT_DIR" -user-did "$GIT_USER_DID" -user-handle "$GIT_USER_HANDLE" -internal-api "%s" "${push_options[@]}" post-receive 127 137 `, executablePath, config.internalApi) 128 138 129 - return os.WriteFile(hookPath, []byte(hookContent), 0755) 139 + if err := os.WriteFile(hookPath, []byte(hookContent), 0755); err != nil { 140 + return err 141 + } 142 + // os.WriteFile doesn't change the mode on existing files; chmod explicitly. 143 + return os.Chmod(hookPath, 0755) 130 144 } 131 145 132 146 func mkDelegate(path string) error { ··· 148 162 done 149 163 `) 150 164 151 - return os.WriteFile(path, []byte(content), 0755) 165 + if err := os.WriteFile(path, []byte(content), 0755); err != nil { 166 + return err 167 + } 168 + return os.Chmod(path, 0755) 152 169 }