mirror of
https://github.com/NousResearch/hermes-agent.git
synced 2026-05-29 06:31:32 +00:00
c3bdb2af37
shellcheck doesn't recognize the s6-overlay `#!/command/with-contenv sh`
shebang and aborts with SC1008 ("This shebang was unrecognized. ShellCheck
only supports sh/bash/dash/ksh/'busybox sh'. Add a 'shell' directive to
specify."). The error fires at --severity=error too, so it fails the
"Docker / shell lint" CI job on every PR that touches docker/.
Add the canonical `# shellcheck shell=sh` directive — same fix already
applied to the sibling cont-init.d scripts (`02-reconcile-profiles` and
`015-supervise-perms`) when they adopted the with-contenv shebang.
The shebang was changed from `#!/bin/sh` → `#!/command/with-contenv sh`
in PR #32412 (commit 29c71e9) to fix env-propagation through s6's PID 1.
The shellcheck-directive line was missed in that PR; this patches it.
Reproduces locally:
docker run --rm -v "$PWD:/mnt" -w /mnt koalaman/shellcheck:stable \
--severity=error --format=gcc docker/main-wrapper.sh
Before: docker/main-wrapper.sh:1:1: error: [SC1008] (rc=1)
After: (no output) (rc=0)
Script behavior is unchanged — the directive is a comment, and `sh -n`
/ `bash -n` parse the file cleanly either way.
43 lines
1.6 KiB
Bash
Executable file
43 lines
1.6 KiB
Bash
Executable file
#!/command/with-contenv sh
|
|
# shellcheck shell=sh
|
|
# /opt/hermes/docker/main-wrapper.sh — wraps the container's CMD with
|
|
# the same argument-routing logic the pre-s6 entrypoint.sh used. Runs
|
|
# as /init's "main program" (Docker CMD) so it inherits stdin/stdout/
|
|
# stderr from the container.
|
|
#
|
|
# Shebang note: /init scrubs env before invoking CMD, so a plain
|
|
# `#!/bin/sh` wrapper sees an empty environ and `ENV HERMES_HOME=/opt/data`
|
|
# from the Dockerfile never reaches `hermes`. with-contenv repopulates
|
|
# the env from /run/s6/container_environment before exec'ing, which is
|
|
# what s6-supervised services use too (see main-hermes/run).
|
|
#
|
|
# Routing:
|
|
# no args → exec `hermes` (the default)
|
|
# first arg is an executable → exec it directly (sleep, bash, sh, …)
|
|
# first arg is anything else → exec `hermes <args>` (subcommand passthrough)
|
|
#
|
|
# We drop to the hermes user via `s6-setuidgid` so the supervised
|
|
# workload runs unprivileged (UID 10000 by default).
|
|
set -e
|
|
|
|
# HOME comes through with-contenv as /root (the /init context). Override
|
|
# to the hermes user's home before dropping privileges so libraries that
|
|
# resolve paths via $HOME (e.g. discord lockfile under XDG_STATE_HOME)
|
|
# don't try to write to /root.
|
|
export HOME=/opt/data
|
|
|
|
cd /opt/data
|
|
# shellcheck disable=SC1091
|
|
. /opt/hermes/.venv/bin/activate
|
|
|
|
if [ $# -eq 0 ]; then
|
|
exec s6-setuidgid hermes hermes
|
|
fi
|
|
|
|
if command -v "$1" >/dev/null 2>&1; then
|
|
# Bare executable — pass through directly.
|
|
exec s6-setuidgid hermes "$@"
|
|
fi
|
|
|
|
# Hermes subcommand pass-through.
|
|
exec s6-setuidgid hermes hermes "$@"
|