#!/usr/bin/env bats # tests/permissions.bats # Blinda i permessi del repo, cosi' un `cp`/deploy preserva l'eseguibilita' e non # ricapita il "Permission denied" (es. ingest-semantic.py lanciato diretto). # # Principio: # - script con shebang lanciati direttamente -> eseguibili (git mode 100755) # - librerie *sourced* (lib/, providers/, registry.sh, globals.env) -> NON eseguibili (100644) REPO="${BATS_TEST_DIRNAME}/.." # Entry-point / script eseguibili (tutti hanno shebang; alcuni anche lanciati a mano per debug) EXECUTABLES=( skills/ingest/scripts/ingest-semantic.py skills/ingest/scripts/run-ingest.sh skills/ingest/scripts/scoped-lint.sh skills/ingest/scripts/open-pr.sh skills/ingest/scripts/log-append.sh skills/ingest/scripts/slug.sh skills/ingest/scripts/index-append.py scripts/add-genome.sh scripts/setup.sh scripts/setup-genomes.sh scripts/setup-master.sh scripts/lint-genomes.sh scripts/verify-genomes.sh ) # Librerie sourced: NON devono essere eseguibili. LIBRARIES=( lib/lint.sh lib/output.sh lib/deps.sh lib/git-crypt.sh lib/scaffold.sh lib/structure.sh providers/forgejo.sh providers/github.sh registry.sh globals.env ) git_mode() { git -C "$REPO" ls-files -s -- "$1" | awk '{print $1}'; } @test "executable scripts have the +x bit on disk" { for f in "${EXECUTABLES[@]}"; do [ -x "${REPO}/${f}" ] || { echo "NON eseguibile su disco: $f"; return 1; } done } @test "executable scripts are recorded 100755 in git" { for f in "${EXECUTABLES[@]}"; do mode="$(git_mode "$f")" [ -n "$mode" ] || { echo "non tracciato in git: $f"; return 1; } [ "$mode" = "100755" ] || { echo "git mode $mode (atteso 100755): $f"; return 1; } done } @test "sourced libraries are NOT executable in git (100644)" { for f in "${LIBRARIES[@]}"; do mode="$(git_mode "$f")" [ -z "$mode" ] && continue # non tracciato/opzionale -> salta [ "$mode" = "100644" ] || { echo "git mode $mode (atteso 100644, e' sourced): $f"; return 1; } done } @test "executable shell scripts pass bash -n (syntax)" { for f in "${EXECUTABLES[@]}"; do case "$f" in *.sh) bash -n "${REPO}/${f}" || { echo "syntax error: $f"; return 1; } ;; esac done }