Internal: tweak shell scripts (pipefail doesn't exist in POSIX)

djbe · djbe · commit 7f11dcb4af5f · 2026-02-13T05:30:09.000+01:00
diff --git a/common/config/s6-overlay/startup-scripts/data/run.sh b/common/config/s6-overlay/startup-scripts/data/run.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Set defaults
-SECRET_DIR=/secrets
+readonly SECRET_DIR=/secrets
 
 # Correct permissions so we can run as `nobody`
 EXTRA_DIRS=
@@ -16,7 +16,7 @@ chown nobody:nogroup \
   $EXTRA_DIRS
 
 # Ensure our working path is correct
-OLD_PWD="$PWD"
+readonly OLD_PWD="$PWD"
 if [ -d /app/www ]; then
   cd /app/www
 fi
diff --git a/common/scripts/docker-entrypoint.sh b/common/scripts/docker-entrypoint.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Set defaults
-SECRET_DIR=/secrets
+readonly SECRET_DIR=/secrets
 
 # Helper to run a command, invoking startup scripts, dropping down to `nobody`
 # user, and loading secrets into ENV.
@@ -17,7 +17,7 @@ safe_exec() {
 }
 
 # Check if command matches, otherwise fallback to executing it
-COMMAND_SCRIPT="/scripts/commands/${1}.sh"
+readonly COMMAND_SCRIPT="/scripts/commands/${1}.sh"
 if [ -x "$COMMAND_SCRIPT" ]; then
   shift 1
   . "$COMMAND_SCRIPT"
diff --git a/common/scripts/startup/50-env-configure-nginx-api-paths.sh b/common/scripts/startup/50-env-configure-nginx-api-paths.sh
@@ -1,15 +1,15 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx CORS rules based on ENV vars
 #
 # Inputs:
 # - NGINX_API_PATHS: defaults to '' (empty list)
 
 # Set defaults & clean up (normalize, trim, …)
-NGINX_CONFIG_FILE=/etc/nginx/site-mods-enabled.d/generated-api-paths.conf
-NGINX_API_PATHS=$(echo "${NGINX_API_PATHS:-}" \
+readonly NGINX_CONFIG_FILE=/etc/nginx/site-mods-enabled.d/generated-api-paths.conf
+readonly NGINX_API_PATHS=$(echo "${NGINX_API_PATHS:-}" \
   | sed 's/,/ /g; s/^ *//; s/ *$//; s/  */ /g')
 
 # Check nginx structure
diff --git a/common/scripts/startup/50-env-configure-nginx-cors.sh b/common/scripts/startup/50-env-configure-nginx-cors.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx CORS rules based on ENV vars
 #
@@ -9,10 +9,10 @@ set -euo pipefail
 # - NGINX_CORS_RESOURCE_POLICY: defaults to 'same-origin'
 
 # Set defaults & clean up (normalize, trim, …)
-NGINX_CONFIG_FILE=/etc/nginx/snippets/vars/cors-origin.conf
-NGINX_CORS_ORIGINS=$(echo "${NGINX_CORS_ORIGINS:-*}" \
+readonly NGINX_CONFIG_FILE=/etc/nginx/snippets/vars/cors-origin.conf
+readonly NGINX_CORS_ORIGINS=$(echo "${NGINX_CORS_ORIGINS:-*}" \
   | sed 's/,/ /g; s/^ *//; s/ *$//; s/  */ /g')
-NGINX_CORS_RESOURCE_POLICY="${NGINX_CORS_RESOURCE_POLICY:-same-origin}"
+readonly NGINX_CORS_RESOURCE_POLICY="${NGINX_CORS_RESOURCE_POLICY:-same-origin}"
 
 # Check nginx structure
 if [ ! -f "${NGINX_CONFIG_FILE}" ]; then
diff --git a/common/scripts/startup/50-env-configure-nginx-csp.sh b/common/scripts/startup/50-env-configure-nginx-csp.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx security based on ENV vars, and if available the defaults
 # located at `/etc/csp-generator/default`.
@@ -19,17 +19,17 @@ set -euo pipefail
 # - NGINX_FRAME_OPTIONS: defaults to 'deny', note that setting to `disable` removes the header completely.
 
 # Set defaults
-NGINX_CONFIG_FILE='/etc/nginx/snippets/vars/csp-and-robots.conf'
-NGINX_CSP_ITEMS='child-src connect-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src require-trusted-types-for script-src style-src trusted-types worker-src'
-NGINX_CSP_MODE="${NGINX_CSP_MODE:-report-only}"
-NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
-NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
+readonly NGINX_CONFIG_FILE='/etc/nginx/snippets/vars/csp-and-robots.conf'
+readonly NGINX_CSP_ITEMS='child-src connect-src font-src form-action frame-ancestors frame-src img-src manifest-src media-src object-src require-trusted-types-for script-src style-src trusted-types worker-src'
+readonly NGINX_CSP_MODE="${NGINX_CSP_MODE:-report-only}"
+readonly NGINX_CSP_REPORT_URI="${NGINX_CSP_REPORT_URI:-}"
+readonly NGINX_FRAME_OPTIONS="${NGINX_FRAME_OPTIONS:-deny}"
 
 # Validate input
 if [ "${NGINX_CSP_MODE}" = 'enforce' ]; then
-  NGINX_CSP_VAR_NAME='content_security_policy'
+  readonly NGINX_CSP_VAR_NAME='content_security_policy'
 elif [ "${NGINX_CSP_MODE}" = 'report-only' ]; then
-  NGINX_CSP_VAR_NAME='content_security_policy_report_only'
+  readonly NGINX_CSP_VAR_NAME='content_security_policy_report_only'
 else
   echo "Nginx: invalid CSP mode ${NGINX_CSP_MODE}"
   exit 1
diff --git a/common/scripts/startup/50-env-configure-nginx-robots.sh b/common/scripts/startup/50-env-configure-nginx-robots.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx robots rules based on ENV vars
 #
@@ -9,10 +9,10 @@ set -euo pipefail
 # - NGINX_ROBOTS_TXT: defaults to 'Disallow: /', note that setting to `disable` removes the rule completely.
 
 # Set defaults
-NGINX_CONFIG_FILE_MODS=/etc/nginx/site-mods-enabled.d/generated-robots.conf
-NGINX_CONFIG_FILE_VARS=/etc/nginx/snippets/vars/robots-tag.conf
-NGINX_ROBOTS_TAG="${NGINX_ROBOTS_TAG:-none}"
-NGINX_ROBOTS_TXT="${NGINX_ROBOTS_TXT:-Disallow: /}"
+readonly NGINX_CONFIG_FILE_MODS=/etc/nginx/site-mods-enabled.d/generated-robots.conf
+readonly NGINX_CONFIG_FILE_VARS=/etc/nginx/snippets/vars/robots-tag.conf
+readonly NGINX_ROBOTS_TAG="${NGINX_ROBOTS_TAG:-none}"
+readonly NGINX_ROBOTS_TXT="${NGINX_ROBOTS_TXT:-Disallow: /}"
 
 # robots tag header
 if [ -f "${NGINX_CONFIG_FILE_VARS}" ]; then
diff --git a/matomo/scripts/commands/init.sh b/matomo/scripts/commands/init.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 config_file="/var/www/html/config/config.ini.php"
 
diff --git a/matomo/scripts/startup/50-unzip-matomo.sh b/matomo/scripts/startup/50-unzip-matomo.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 if [ ! -e matomo.php ]; then
   tar cf - --one-file-system -C /usr/src/matomo . | tar xf -
diff --git a/nuxt-base/config/s6-overlay/node-memory-monitor/data/run.sh b/nuxt-base/config/s6-overlay/node-memory-monitor/data/run.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure PHP FPM `pm` based on ENV vars
 #
diff --git a/nuxt-base/scripts/startup/50-prep-nginx-ready-check.sh b/nuxt-base/scripts/startup/50-prep-nginx-ready-check.sh
@@ -1,11 +1,11 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Prep. nginx config files so memory monitor service can disable probes
 
 if [ -d /etc/nginx/site-mods-enabled.d/ ]; then
-  NGINX_CONFIG_FILE=/etc/nginx/snippets/nuxt-probes-content.conf
+  readonly NGINX_CONFIG_FILE=/etc/nginx/snippets/nuxt-probes-content.conf
 
   # Default nginx config (i.e. just forward to API)
   cat <<EOF > "$NGINX_CONFIG_FILE"
diff --git a/payload-base/scripts/startup/50-move-static-files.sh b/payload-base/scripts/startup/50-move-static-files.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Move static files, so we can serve `/_next/static/…`
 if [ -d "/app/www/.next/static" ]; then
diff --git a/php-base/scripts/startup/50-env-configure-nginx-php-upload-limit.sh b/php-base/scripts/startup/50-env-configure-nginx-php-upload-limit.sh
@@ -1,6 +1,6 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure nginx & PHP upload limits based on ENV vars
 #
@@ -10,9 +10,9 @@ set -euo pipefail
 # - PHP_POST_MAX_FILESIZE: defaults to '2M'
 
 # Set defaults
-NGINX_MAX_BODY_SIZE="${NGINX_MAX_BODY_SIZE:-8M}"
-PHP_POST_MAX_SIZE="${PHP_POST_MAX_SIZE:-$NGINX_MAX_BODY_SIZE}"
-PHP_POST_MAX_FILESIZE="${PHP_POST_MAX_FILESIZE:-2M}"
+readonly NGINX_MAX_BODY_SIZE="${NGINX_MAX_BODY_SIZE:-8M}"
+readonly PHP_POST_MAX_SIZE="${PHP_POST_MAX_SIZE:-$NGINX_MAX_BODY_SIZE}"
+readonly PHP_POST_MAX_FILESIZE="${PHP_POST_MAX_FILESIZE:-2M}"
 
 if [ -d /etc/nginx/site-mods-enabled.d/ ]; then
   # nginx body size
diff --git a/php-base/scripts/startup/50-env-configure-php-fpm-memory-limit.sh b/php-base/scripts/startup/50-env-configure-php-fpm-memory-limit.sh
@@ -1,14 +1,14 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure PHP FPM memory limits based on ENV vars
 #
 # Inputs:
 # - PHP_FPM_MEMORY_LIMIT: defaults to '256M'
 
 # Set defaults
-PHP_FPM_MEMORY_LIMIT="${PHP_FPM_MEMORY_LIMIT:-256M}"
+readonly PHP_FPM_MEMORY_LIMIT="${PHP_FPM_MEMORY_LIMIT:-256M}"
 
 for php_config_file in /etc/php*/php-fpm.d/www.conf; do
   # PHP memory limits
diff --git a/php-base/scripts/startup/50-env-configure-php-fpm-pm.sh b/php-base/scripts/startup/50-env-configure-php-fpm-pm.sh
@@ -1,24 +1,24 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Configure PHP FPM `pm` based on ENV vars
 #
 # Inputs:
 # - PHP_FPM_PM: defaults to 'static'
 
 # Set defaults
-PHP_FPM_PM="${PHP_FPM_PM:-static}"
+readonly PHP_FPM_PM="${PHP_FPM_PM:-static}"
 
 # Validate input
 if [ "$PHP_FPM_PM" = 'static' ]; then
-  PM_SNIPPET='
+  readonly PM_SNIPPET='
 pm = static
 pm.max_children = 5
 pm.max_requests = 1000
 '
 elif [ "$PHP_FPM_PM" = 'ondemand' ]; then
-  PM_SNIPPET='
+  readonly PM_SNIPPET='
 pm = ondemand
 pm.max_children = 80
 pm.process_idle_timeout = 30s;
diff --git a/tests/build-image.sh b/tests/build-image.sh
@@ -1,12 +1,12 @@
 #!/usr/bin/env bash
 
-set -euo pipefail
+set -eu
 
-IMAGE_NAME=$1
-IMAGE_TAG=$2
-IMAGE_TARGET=$3
-VERSIONS=$4
-DOCKERFILE="./$IMAGE_NAME/Dockerfile"
+readonly IMAGE_NAME=$1
+readonly IMAGE_TAG=$2
+readonly IMAGE_TARGET=$3
+readonly VERSIONS=$4
+readonly DOCKERFILE="./$IMAGE_NAME/Dockerfile"
 
 # Load versions into ENV
 if [ -n "$VERSIONS" ]; then
@@ -25,11 +25,11 @@ done <<< "$(echo -e "$VERSIONS")"
 
 # Calculate base
 if grep -qE 'FROM common:.*-nginx AS' "$DOCKERFILE"; then
-  BASE_IMAGE_NAME="common:${ALPINE_VERSION}-nginx"
-  BASE_IMAGE_TARGET=nginx
+  readonly BASE_IMAGE_NAME="common:${ALPINE_VERSION}-nginx"
+  readonly BASE_IMAGE_TARGET=nginx
 elif grep -qE 'FROM common:.* AS' "$DOCKERFILE"; then
-  BASE_IMAGE_NAME="common:${ALPINE_VERSION}"
-  BASE_IMAGE_TARGET=base
+  readonly BASE_IMAGE_NAME="common:${ALPINE_VERSION}"
+  readonly BASE_IMAGE_TARGET=base
 fi
 
 # Cleanup
diff --git a/tests/run-tests.sh b/tests/run-tests.sh
@@ -4,9 +4,9 @@ set -euo pipefail
 shopt -s nullglob
 
 # Note: drop the "tag" from the name
-IMAGE_NAME=$1
-SUITE_NAME=${IMAGE_NAME%%:*}
-IMAGE_TARGET=$2
+readonly IMAGE_NAME=$1
+readonly SUITE_NAME=${IMAGE_NAME%%:*}
+readonly IMAGE_TARGET=$2
 
 run_test() {
   echo "Running ${1}…"
@@ -50,7 +50,7 @@ dgoss_run() {
 }
 
 # Check we have a test suite
-TEST_DIR="tests/$SUITE_NAME/$IMAGE_TARGET"
+readonly TEST_DIR="tests/$SUITE_NAME/$IMAGE_TARGET"
 if [ ! -d "$TEST_DIR" ]; then
   echo "Error: missing test suite '$TEST_DIR'"
   exit 1
diff --git a/web-base/scripts/startup/90-inject-env-into-index.sh b/web-base/scripts/startup/90-inject-env-into-index.sh
@@ -1,9 +1,9 @@
 #!/usr/bin/env sh
 
-set -euo pipefail
+set -eu
 
 # Inject environment variables
-ENV_EXAMPLE_PATH=/etc/import-meta-env/example
+readonly ENV_EXAMPLE_PATH=/etc/import-meta-env/example
 if [ -f $ENV_EXAMPLE_PATH ]; then
   echo "Found example env at '$ENV_EXAMPLE_PATH', applying to codebase…"
   import-meta-env \

Original file line number	Diff line number	Diff line change
`@@ -1,6 +1,6 @@`
`1`	`1`	`#!/usr/bin/env sh`
`2`	`2`
`3`		`-set -euo pipefail`
	`3`	`+set -eu`
`4`	`4`
`5`	`5`	# Configure PHP FPM `pm` based on ENV vars
`6`	`6`	`#`