CI: improve path resolution consistency and restrict sudo environment variable exposure

Copilot · PDowney · web-flow · commit 37b4ccf4fc6d · 2026-04-10T20:54:12.000Z
Agent-Logs-Url: https://github.com/EngineScript/EngineScript/sessions/d62f3708-eedf-47cb-848d-974f0adff688 Co-authored-by: PDowney <11467177+PDowney@users.noreply.github.com>
diff --git a/CHANGELOG.md b/CHANGELOG.md
@@ -6,6 +6,14 @@ Changes are organized by date, with the most recent changes listed first.
 
 ## 2026-04-10
 
+### 🔒 CI SCRIPT SECURITY AND CONSISTENCY IMPROVEMENTS
+
+- Updated `ALLOWED_LOG_BASE_DIR` in `scripts/ci/run-install-step.sh` to use `realpath "$(pwd)"` instead of `pwd -P` for consistency with the `ALLOWED_INSTALL_DIR` resolution on line 15.
+- Updated `RESOLVED_LOG_PARENT` in `scripts/ci/run-install-step.sh` to use `realpath` instead of `cd ... && pwd -P`, making path resolution more explicit and avoiding an unnecessary directory change.
+- Replaced `sudo -E` with explicit `--preserve-env` flags (`CI_ENVIRONMENT`, `DEBIAN_FRONTEND`, `NEEDRESTART_MODE`, `NEEDRESTART_SUSPEND`) in `scripts/ci/run-install-step.sh` to limit environment variable exposure when running install scripts with elevated privileges.
+
+
+
 ### 🐛 VHOST IMPORT LOGGING / EXTRACTION FLOW FIXES
 
 - Removed a duplicate WordPress extraction block in `scripts/functions/vhost/vhost-import.sh` that re-ran archive extraction and wp-config path detection after those steps had already completed.
diff --git a/scripts/ci/run-install-step.sh b/scripts/ci/run-install-step.sh
@@ -40,7 +40,7 @@ case "$CANONICAL_INSTALL_SCRIPT_PATH" in
     ;;
 esac
 
-ALLOWED_LOG_BASE_DIR="$(pwd -P)"
+ALLOWED_LOG_BASE_DIR="$(realpath "$(pwd)")"
 LOG_PARENT_DIR="$(dirname -- "$LOG_PATH")"
 LOG_FILENAME="$(basename -- "$LOG_PATH")"
 
@@ -49,7 +49,7 @@ if [ ! -d "$LOG_PARENT_DIR" ]; then
   exit 1
 fi
 
-RESOLVED_LOG_PARENT="$(cd "$LOG_PARENT_DIR" 2>/dev/null && pwd -P)"
+RESOLVED_LOG_PARENT="$(realpath "$LOG_PARENT_DIR" 2>/dev/null || true)"
 
 if [ -z "${RESOLVED_LOG_PARENT:-}" ]; then
   echo "Error: unable to resolve log directory path: $LOG_PARENT_DIR" >&2
@@ -104,7 +104,8 @@ export DEBIAN_FRONTEND=noninteractive
 export NEEDRESTART_MODE=a
 export NEEDRESTART_SUSPEND=1
 timeout "$TIMEOUT_SECONDS" \
-  sudo -E bash "$CANONICAL_INSTALL_SCRIPT_PATH" 2>&1 | tee -a "$LOG_PATH"
+  sudo --preserve-env=CI_ENVIRONMENT --preserve-env=DEBIAN_FRONTEND --preserve-env=NEEDRESTART_MODE --preserve-env=NEEDRESTART_SUSPEND \
+  bash "$CANONICAL_INSTALL_SCRIPT_PATH" 2>&1 | tee -a "$LOG_PATH"
 PIPE_EXIT_CODES=("${PIPESTATUS[@]}")
 SCRIPT_EXIT_CODE="${PIPE_EXIT_CODES[0]}"
 TEE_EXIT_CODE="${PIPE_EXIT_CODES[1]}"
