ci(security): harden C toolchain bootstrap for non-sudo runners

2026-03-02 18:53:24 +08:00 · 2026-03-02 18:53:24 +08:00 · 77bf7ff75a
commit 77bf7ff75a
parent 5cac4f873f
1 changed files with 12 additions and 5 deletions
--- a/scripts/ci/ensure_c_toolchain.sh
+++ b/scripts/ci/ensure_c_toolchain.sh
@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail

+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 set_env_var() {
    local key="$1"
    local value="$2"
@ -46,11 +48,16 @@ if command -v clang >/dev/null 2>&1; then
    exit 0
 fi

-if command -v sudo >/dev/null 2>&1 && command -v apt-get >/dev/null 2>&1; then
-    echo "C compiler not found. Installing build-essential via apt..."
-    sudo apt-get update
-    sudo apt-get install -y build-essential
-    configure_linker "$(command -v cc)"
+# Prefer the resilient provisioning path (package manager + Zig fallback) used by CI Rust jobs.
+if [ -x "${script_dir}/ensure_cc.sh" ]; then
+    if bash "${script_dir}/ensure_cc.sh"; then
+        configure_linker "$(command -v cc)"
+        exit 0
+    fi
+fi
+
+if [ "${ALLOW_MISSING_C_TOOLCHAIN:-}" = "1" ] || [ "${ALLOW_MISSING_C_TOOLCHAIN:-}" = "true" ]; then
+    echo "::warning::No usable C compiler found; continuing because ALLOW_MISSING_C_TOOLCHAIN is enabled."
    exit 0
 fi