From 77bf7ff75a2b69cc05de1fc93ba6bd5a4ef5af01 Mon Sep 17 00:00:00 2001
From: Chummy <chumyin0912@gmail.com>
Date: Mon, 2 Mar 2026 18:53:24 +0800
Subject: [PATCH] ci(security): harden C toolchain bootstrap for non-sudo
 runners

---
 scripts/ci/ensure_c_toolchain.sh | 17 ++++++++++++-----
 1 file changed, 12 insertions(+), 5 deletions(-)

diff --git a/scripts/ci/ensure_c_toolchain.sh b/scripts/ci/ensure_c_toolchain.sh
index 2a70ac229..67c7e4c77 100755
--- a/scripts/ci/ensure_c_toolchain.sh
+++ b/scripts/ci/ensure_c_toolchain.sh
@@ -1,6 +1,8 @@
 #!/usr/bin/env bash
 set -euo pipefail
 
+script_dir="$(cd "$(dirname "${BASH_SOURCE[0]}")" && pwd)"
+
 set_env_var() {
     local key="$1"
     local value="$2"
@@ -46,11 +48,16 @@ if command -v clang >/dev/null 2>&1; then
     exit 0
 fi
 
-if command -v sudo >/dev/null 2>&1 && command -v apt-get >/dev/null 2>&1; then
-    echo "C compiler not found. Installing build-essential via apt..."
-    sudo apt-get update
-    sudo apt-get install -y build-essential
-    configure_linker "$(command -v cc)"
+# Prefer the resilient provisioning path (package manager + Zig fallback) used by CI Rust jobs.
+if [ -x "${script_dir}/ensure_cc.sh" ]; then
+    if bash "${script_dir}/ensure_cc.sh"; then
+        configure_linker "$(command -v cc)"
+        exit 0
+    fi
+fi
+
+if [ "${ALLOW_MISSING_C_TOOLCHAIN:-}" = "1" ] || [ "${ALLOW_MISSING_C_TOOLCHAIN:-}" = "true" ]; then
+    echo "::warning::No usable C compiler found; continuing because ALLOW_MISSING_C_TOOLCHAIN is enabled."
     exit 0
 fi