main: maintain runner perms when mounting a stickydisk #5
Conversation
This file contains bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
![ellipsis-dev[bot]](https://avatars.githubusercontent.com/in/64358?s=60&v=4){kind=small}
There was a problem hiding this comment.
👍 Looks good to me! Reviewed everything up to 1254973 in 19 seconds
More details
- Looked at
53lines of code in1files - Skipped
1files when reviewing. - Skipped posting
5drafted comments based on config settings.
1. src/main.ts:36
- Draft comment:
Usingsudoin shell commands can be a security risk. Ensure that the commands are safe and that the user running the script has the necessary permissions. - Reason this comment was not posted:
Confidence changes required:50%
The use ofsudoin shell commands can be a security risk if not handled properly. It's important to ensure that the commands are safe and that the user running the script has the necessary permissions.
2. src/main.ts:42
- Draft comment:
Usingsudoin shell commands can be a security risk. Ensure that the commands are safe and that the user running the script has the necessary permissions. - Reason this comment was not posted:
Confidence changes required:50%
The use ofsudoin shell commands can be a security risk if not handled properly. It's important to ensure that the commands are safe and that the user running the script has the necessary permissions.
3. src/main.ts:62
- Draft comment:
Usingsudoin shell commands can be a security risk. Ensure that the commands are safe and that the user running the script has the necessary permissions. - Reason this comment was not posted:
Confidence changes required:50%
The use ofsudoin shell commands can be a security risk if not handled properly. It's important to ensure that the commands are safe and that the user running the script has the necessary permissions.
4. src/main.ts:85
- Draft comment:
Usingsudoin shell commands can be a security risk. Ensure that the commands are safe and that the user running the script has the necessary permissions. - Reason this comment was not posted:
Confidence changes required:50%
The use ofsudoin shell commands can be a security risk if not handled properly. It's important to ensure that the commands are safe and that the user running the script has the necessary permissions.
5. src/main.ts:88
- Draft comment:
Usingsudoin shell commands can be a security risk. Ensure that the commands are safe and that the user running the script has the necessary permissions. - Reason this comment was not posted:
Confidence changes required:50%
The use ofsudoin shell commands can be a security risk if not handled properly. It's important to ensure that the commands are safe and that the user running the script has the necessary permissions.
Workflow ID: wflow_EOFBola1B2wc2XiC
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
adityamaru
force-pushed
the
fix-perms
branch
from
1254973 to
229eaba
Compare
There was a problem hiding this comment.
👍 Looks good to me! Incremental review on 229eaba in 19 seconds
More details
- Looked at
83lines of code in2files - Skipped
1files when reviewing. - Skipped posting
2drafted comments based on config settings.
1. src/main.ts:36
- Draft comment:
Ensure that the use ofsudois necessary for this command. Whileblkidtypically requires root privileges, consider if there are any alternatives or configurations that could avoid the need forsudo. This comment applies to other uses ofsudoin this file as well. - Reason this comment was not posted:
Confidence changes required:50%
The use ofsudoin theexecAsynccalls is necessary for operations that require root privileges, such as formatting and mounting block devices. However, the use ofsudoshould be minimized to only those commands that absolutely require it, to reduce potential security risks.
2. .github/workflows/bump-tag.yaml:22
- Draft comment:
Using-fwithgit tagandgit pushcan overwrite existing tags. Ensure this is the intended behavior, as it can lead to loss of tag history. - Reason this comment was not posted:
Confidence changes required:50%
Thebump-tag.yamlworkflow file is responsible for updating a Git tag. The use of-fingit tagandgit pushis forceful and should be used with caution. It can overwrite existing tags, which might not be the intended behavior.
Workflow ID: wflow_iyYD9vHupWS9J9qJ
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
adityamaru
force-pushed
the
fix-perms
branch
from
229eaba to
d29289d
Compare
There was a problem hiding this comment.
👍 Looks good to me! Incremental review on d29289d in 31 seconds
More details
- Looked at
82lines of code in2files - Skipped
1files when reviewing. - Skipped posting
1drafted comments based on config settings.
1. .github/workflows/bump-tag.yaml:4
- Draft comment:
Consider addingpull_request:to theonsection to trigger the workflow on pull request events as well, as mentioned in the PR description. - Reason this comment was not posted:
Decided after close inspection that this draft comment was likely wrong and/or not actionable:
This workflow's purpose is to manually update a git tag. It would not make sense to run this on pull requests since: 1) We don't want to automatically bump tags on PRs 2) The workflow requires write permissions to push tags 3) The workflow explicitly checks out main branch 4) The comment assumes something about PR description which violates our rules.
Maybe there's a valid use case for running this on PRs that I'm not seeing? The PR description might have important context I'm missing.
No - this is a clear case where running on PRs would be incorrect. The workflow is designed for manual tag management and running it on PRs could cause tag conflicts and unintended side effects.
Delete this comment. It suggests a change that would be harmful to the workflow's purpose, and it also violates our rule about not making assumptions based on PR descriptions.
Workflow ID: wflow_SC6oDHEtEH2rEB74
You can customize Ellipsis with 👍 / 👎 feedback, review rules, user-specific overrides, quiet mode, and more.
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.
This suggestion is invalid because no changes were made to the code.
Suggestions cannot be applied while the pull request is closed.
Suggestions cannot be applied while viewing a subset of changes.
Only one suggestion per line can be applied in a batch.
Add this suggestion to a batch that can be applied as a single commit.
Applying suggestions on deleted lines is not supported.
You must change the existing code in this line in order to create a valid suggestion.
Outdated suggestions cannot be applied.
This suggestion has been applied or marked resolved.
Suggestions cannot be applied from pending reviews.
Suggestions cannot be applied on multi-line comments.
Suggestions cannot be applied while the pull request is queued to merge.
Suggestion cannot be applied right now. Please check back later.
Important
Maintain runner permissions when mounting stickydisk by setting filesystem and mount point ownership, and add GitHub Actions workflow for tag management.
maybeFormatBlockDevice(), usesudo mkfs.ext4with-E root_owner=$(id -u):$(id -g)to set filesystem ownership to runner user.resize2fsoperation preserves existing filesystem ownership and permissions.mountStickyDisk(), create mount point withoutsudoto ensure runner user ownership.sudo chown $(id -u):$(id -g)after mounting to set mount point ownership to runner user.bump-tag.yamlworkflow to bumpv1tag onworkflow_dispatchandpull_requestevents.This description was created by
for d29289d. It will automatically update as commits are pushed.