From d19291d3295e0381e7893060d46f60b26b4d24c4 Mon Sep 17 00:00:00 2001 From: harshitsinghbhandari <24b4506@iitb.ac.in> Date: Thu, 4 Jun 2026 06:46:23 +0530 Subject: [PATCH] Prompt before installing hawkeye in ensure-hawkeye-exists.sh `make pre-commit` previously installed the hook but did not check for hawkeye, so the very next commit attempt would fail. v1 of this change auto-installed hawkeye via `exec install-hawkeye.sh` when it was missing, but `curl | sh` without prior user consent is a security anti-pattern. This change instead: - Makes the missing-hawkeye path interactive by default: print exactly what would be downloaded and from where, then prompt `[y/N]`. - Supports two ways to skip the prompt non-interactively (matching the convention used by terraform, kubectl, apt-get, etc.): - CLI flag: `--auto-install` (or `-y`) - Env var: HAWKEYE_AUTO_INSTALL=1 Precedence: flag > env var > prompt (default). - Refuses to install silently when stdin is not a TTY *and* neither consent mechanism was provided, with a clear error pointing at both knobs. This protects piped or CI invocations that forgot to opt in. - Wires `make pre-commit` to run the ensure script after installing the hook, so contributors hit the consent prompt at setup time rather than at their first commit. - Exports HAWKEYE_AUTO_INSTALL=1 in the GitHub Actions `Check formatting` step so license/format checks don't stall on the prompt. Fixes #1642. --- .github/workflows/common.yml | 2 + Makefile | 1 + scripts/ensure-hawkeye-exists.sh | 73 ++++++++++++++++++++++++++++++-- 3 files changed, 73 insertions(+), 3 deletions(-) diff --git a/.github/workflows/common.yml b/.github/workflows/common.yml index 0f62ae015..3ff184d53 100644 --- a/.github/workflows/common.yml +++ b/.github/workflows/common.yml @@ -35,6 +35,8 @@ jobs: fetch-depth: 0 - name: Check formatting + env: + HAWKEYE_AUTO_INSTALL: "1" run: | ./scripts/install-hawkeye.sh make fmt diff --git a/Makefile b/Makefile index fae34241b..f91bdee96 100644 --- a/Makefile +++ b/Makefile @@ -326,6 +326,7 @@ pre-commit: echo 'PRECOMMIT_NOFMT=$${PRECOMMIT_NOFMT} $$(git rev-parse --git-path hooks/pre-commit.fmt)' >> /tmp/pre-commit.new mv /tmp/pre-commit.new $(HOOKS_DIR)/pre-commit chmod +x $(HOOKS_DIR)/pre-commit + @./scripts/ensure-hawkeye-exists.sh .PHONY: serve-docs serve-docs: diff --git a/scripts/ensure-hawkeye-exists.sh b/scripts/ensure-hawkeye-exists.sh index 56d7986b8..65693935b 100755 --- a/scripts/ensure-hawkeye-exists.sh +++ b/scripts/ensure-hawkeye-exists.sh @@ -13,12 +13,79 @@ # See the License for the specific language governing permissions and # limitations under the License. +set -e + +auto_install=0 + +for arg in "$@"; do + case "$arg" in + --auto-install|-y) + auto_install=1 + ;; + -h|--help) + cat <&2 + echo "see '$(basename "$0") --help' for usage" >&2 + exit 2 + ;; + esac +done + +if [[ "${HAWKEYE_AUTO_INSTALL:-}" == "1" ]]; then + auto_install=1 +fi + echo "Checking existence of hawkeye..." if command -v .local/bin/hawkeye >/dev/null 2>&1; then echo "hawkeye found!" -else - echo "hawkeye not found in PATH" - echo "please install hawkeye. For convenience, you can run scripts/install-hawkeye.sh" + exit 0 +fi + +cat </hawkeye-installer.sh | sh + +and performs the installation by passing the downloaded content to \`sh\`. + +(See scripts/install-hawkeye.sh for the pinned version.) +EOF + +if [[ "$auto_install" -eq 1 ]]; then + echo + echo "Auto-install enabled; proceeding." +elif [[ ! -t 0 ]]; then + echo + echo "Non-interactive context detected. Refusing to install silently." >&2 + echo "Set HAWKEYE_AUTO_INSTALL=1 or pass --auto-install to proceed." >&2 exit 1 +else + echo + read -r -p "Proceed with install? [y/N] " response + case "$response" in + [yY][eE][sS]|[yY]) + ;; + *) + echo "please install hawkeye. For convenience, you can run scripts/install-hawkeye.sh" + exit 1 + ;; + esac fi + +exec "$(dirname "$0")/install-hawkeye.sh"