Commit bc661c2 - fangorn/anvil-cli


      fangorn/anvil-cli

public

ref:bc661c27229cb4cf419185e7b66b133f7c7938f8

fix: wrap Docker command in subshell so set -e cannot bypass chown

When the user command contains `set -e`, shell exits on the first error, never reaching the chown cleanup. Wrapping in a subshell (parentheses) isolates `set -e` so the exit code is captured and chown always runs. Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

SHA: bc661c27229cb4cf419185e7b66b133f7c7938f8

Author: Cole Christensen <cole.christensen@macmillan.com>

Date: 2026-03-14 01:56

Parents: de7855d

1 files changed +4 -1

Type

Type
	src/runner/executor.rs	+4 −1
@@ -109,8 +109,11 @@ // is fixed before the container exits. let uid = unsafe { libc::getuid() }; let gid = unsafe { libc::getgid() }; // Run the user command in a subshell so `set -e` cannot bypass the // chown cleanup. The subshell's exit code is captured regardless of // whether it succeeds or fails. let wrapped_command = format!( "{command}\n_exit_code=$?\nchown -R {uid}:{gid} /workspace 2>/dev/null \|\| true\nexit $_exit_code" "({command})\n_exit_code=$?\nchown -R {uid}:{gid} /workspace 2>/dev/null \|\| true\nexit $_exit_code" ); // Image and command

src/runner/executor.rs

+4 −1

@@ -109,8 +109,11 @@
    // is fixed before the container exits.
    let uid = unsafe { libc::getuid() };
    let gid = unsafe { libc::getgid() };
    // Run the user command in a subshell so `set -e` cannot bypass the
    // chown cleanup.  The subshell's exit code is captured regardless of
    // whether it succeeds or fails.
    let wrapped_command = format!(
        "{command}\n_exit_code=$?\nchown -R {uid}:{gid} /workspace 2>/dev/null || true\nexit $_exit_code"
        "({command})\n_exit_code=$?\nchown -R {uid}:{gid} /workspace 2>/dev/null || true\nexit $_exit_code"
    );
    // Image and command