deploy.sh: chown only pipekit.db, not the whole repo

Avoids stripping write access from the developer. The service only needs
to own pipekit.db (runtime writes) and .venv (created as pipekit).
Source code stays owned by whoever ran deploy.sh.

Co-Authored-By: Claude Sonnet 4.6 (1M context) <noreply@anthropic.com>
This commit is contained in:
Paul Trowbridge 2026-06-03 21:37:18 -04:00
parent f32706be01
commit a3ff5337ee

View File

@ -80,9 +80,16 @@ fi
# ── 3. Ownership ──────────────────────────────────────────────────────────────
step "File ownership and permissions"
echo " Setting $REPO_DIR$SERVICE_NAME:$SERVICE_NAME (group-writable)"
chown -R "$SERVICE_NAME:$SERVICE_NAME" "$REPO_DIR"
chmod -R g+w "$REPO_DIR"
# Only chown what the service needs to write at runtime.
# Source code stays owned by the invoking user.
DB_FILE="$REPO_DIR/pipekit.db"
if [ -f "$DB_FILE" ]; then
echo " $DB_FILE$SERVICE_NAME"
chown "$SERVICE_NAME:$SERVICE_NAME" "$DB_FILE"
else
echo " $DB_FILE not yet created (pipekit init will create it as $SERVICE_NAME)"
fi
echo " $VENV_DIR$SERVICE_NAME (created/managed below)"
echo " Done."
# ── 4. Venv + deps ────────────────────────────────────────────────────────────
@ -135,6 +142,12 @@ fi
# ── 7. Schema init ────────────────────────────────────────────────────────────
step "Database schema"
DB_FILE="$REPO_DIR/pipekit.db"
if [ ! -f "$DB_FILE" ]; then
echo " Creating $DB_FILE owned by $SERVICE_NAME"
touch "$DB_FILE"
chown "$SERVICE_NAME:$SERVICE_NAME" "$DB_FILE"
fi
echo " Running pipekit init"
sudo -u "$SERVICE_NAME" HOME=/nonexistent "$LAUNCHER" init
echo " Done."