ci: Reject unsafe execution of shell scripts

The shell scripts are inherently unsafe, because they will install new software packages, modify global configuration settings, write to the root / or $HOME, and possibly modify the git repo. The only safe way to run them is through the CI system itself, that is the ci_exec python function. The ci_exec funtion ensures that the user has set up a sandbox externally and set DANGER_RUN_CI_ON_HOST=1 at their own risk, or that a sandbox was set up with the given container_id, in which case it is safe to set DANGER_RUN_CI_ON_HOST=1 for that sandbox. Also, it is safe to set DANGER_RUN_CI_ON_HOST=1 when building the sandbox image in ci/test_imagefile. Then, the two shell scripts can reject early if unsafe execution is detected.
2026-03-16 16:32:47 +00:00 · 2026-02-17 09:43:25 +01:00 · 2026-02-17 09:43:25 +01:00 · fab73e213d
commit fab73e213d
parent c8c9c1e617
4 changed files with 19 additions and 3 deletions
--- a/ci/test/01_base_install.sh
+++ b/ci/test/01_base_install.sh
@ -8,6 +8,11 @@ export LC_ALL=C.UTF-8

 set -o errexit -o pipefail -o xtrace

+if [ "${DANGER_RUN_CI_ON_HOST}" != "1" ]; then
+  echo "This script will make unsafe local and global modifications, so it can only be run inside a container and requires DANGER_RUN_CI_ON_HOST=1"
+  exit 1
+fi
+
 CFG_DONE="${BASE_ROOT_DIR}/ci.base-install-done"  # Use a global setting to remember whether this script ran to avoid running it twice

 if [ "$( cat "${CFG_DONE}" || true )" == "done" ]; then
--- a/ci/test/02_run_container.py
+++ b/ci/test/02_run_container.py
@ -158,7 +158,13 @@ def main():
        if os.getenv("DANGER_RUN_CI_ON_HOST"):
            prefix = []
        else:
-            prefix = ["docker", "exec", container_id]
+            prefix = [
+                "docker",
+                "exec",
+                "--env",
+                "DANGER_RUN_CI_ON_HOST=1",  # Safe to set *inside* the container
+                container_id,
+            ]

        return run([*prefix, *cmd_inner], **kwargs)

--- a/ci/test/03_test_script.sh
+++ b/ci/test/03_test_script.sh
@ -6,7 +6,12 @@

 export LC_ALL=C.UTF-8

-set -ex
+set -o errexit -o xtrace
+
+if [ "${DANGER_RUN_CI_ON_HOST}" != "1" ]; then
+  echo "This script will make unsafe local and global modifications, so it can only be run inside a container and requires DANGER_RUN_CI_ON_HOST=1"
+  exit 1
+fi

 cd "${BASE_ROOT_DIR}"

--- a/ci/test_imagefile
+++ b/ci/test_imagefile
@ -21,4 +21,4 @@ COPY ./ci/test/00_setup_env.sh ./${FILE_ENV} ./ci/test/01_base_install.sh ./ci/t
 # Bash is required, so install it when missing
 RUN sh -c "bash -c 'true' || ( apk update && apk add --no-cache bash )"

-RUN ["bash", "-c", "cd /ci_container_base/ && set -o errexit && source ./ci/test/00_setup_env.sh && ./ci/test/01_base_install.sh"]
+RUN ["bash", "-c", "cd /ci_container_base/ && set -o errexit && source ./ci/test/00_setup_env.sh && DANGER_RUN_CI_ON_HOST=1 ./ci/test/01_base_install.sh"]