fix(chezmoi): harden atuin postCreateCommand hook and add regression tests

ckagerer · ckagerer · commit 97d48e1bfb50 · 2026-04-20T13:09:06.000+02:00
- Replace dynamic environment variable assignment with literal heredoc + sed placeholder injection pattern (consistent with persist-ccache and persist-pre-commit features)
- Add early exit if atuin credentials are not configured (graceful no-op)
- Add explicit check for atuin binary before attempting login/sync (prevents 'command not found' from blocking container start)
- Separate atuin-specific operations from /.persist-shell-history symlink setup for better error isolation
- Add regression scenario test with dummy atuin credentials but no atuin installed
- Expand test.sh checks to verify postCreateCommand script exists and chezmoi state is initialized
- Update README to clarify that atuin, starship, and shell themes are not installed by this feature
- Document optional atuin integration and relationship to persist-shell-history feature

Fixes regression where postCreateCommand would fail with 'atuin: command not found' when atuin_user/password/key were configured but atuin binary was not installed, breaking container initialization and shell setup.
diff --git a/src/chezmoi/README.md b/src/chezmoi/README.md
@@ -1,7 +1,21 @@
 
 # Chezmoi (chezmoi)
 
-Install chezmoi and apply dotfiles.
+Install chezmoi and apply dotfiles during the container build.
+
+## Behavior
+
+This feature:
+
+- Installs chezmoi
+- runs `chezmoi init --apply --exclude=encrypted` for the configured user during the build
+- creates `/usr/local/share/chezmoi-atuin-init.sh` as a `postCreateCommand`
+
+If `atuin_user`, `atuin_password`, and `atuin_key` are set, the post-create hook prepares optional Atuin history persistence and then runs `atuin login` and `atuin sync` when the `atuin` binary is available.
+
+This feature does not install Atuin, Starship, or shell themes. Those tools must come from your dotfiles repository or another feature.
+
+To persist Atuin history across rebuilds, combine this feature with [persist-shell-history](../persist-shell-history/).
 
 ## Example Usage
 
@@ -12,3 +26,17 @@ Install chezmoi and apply dotfiles.
     }
 }
 ```
+
+## Example With Atuin
+
+```json
+"features": {
+    "ghcr.io/ckagerer/devcontainer-features/chezmoi:1": {
+        "dotfiles_repo": "twpayne/dotfiles",
+        "atuin_user": "your-user",
+        "atuin_password": "your-token",
+        "atuin_key": "your-key"
+    },
+    "ghcr.io/ckagerer/devcontainer-features/persist-shell-history:1": {}
+}
+```
diff --git a/src/chezmoi/devcontainer-feature.json b/src/chezmoi/devcontainer-feature.json
@@ -1,7 +1,7 @@
 {
     "name": "chezmoi",
     "id": "chezmoi",
-    "version": "1.6.2",
+    "version": "1.6.3",
     "description": "Install chezmoi",
     "documentationURL": "https://github.com/ckagerer/devcontainer-features/tree/main/src/chezmoi",
     "options": {
diff --git a/src/chezmoi/install.sh b/src/chezmoi/install.sh
@@ -17,6 +17,10 @@ if [ -z "${DOTFILES_REPO}" ]; then
   exit 1
 fi
 
+escape_sed_replacement() {
+  printf '%s' "$1" | sed 's/[\\&|]/\\&/g'
+}
+
 # Function to update and install packages on Debian-based systems
 install_debian_packages() {
   apt update
@@ -100,45 +104,65 @@ sudo --user "${CHEZMOI_USER}" bash -c "cd '${CHEZMOI_USER_HOME}' && REMOTE_CONTA
 # --- Generate a 'pull-git-lfs-artifacts.sh' script to be executed by the 'postCreateCommand' lifecycle hook
 INIT_ATUIN_SCRIPT_PATH="/usr/local/share/chezmoi-atuin-init.sh"
 
-tee "$INIT_ATUIN_SCRIPT_PATH" >/dev/null <<EOF
+tee "$INIT_ATUIN_SCRIPT_PATH" >/dev/null <<'EOF'
 #!/usr/bin/env bash
 # (C) Copyright 2025 Christian Kagerer
 # Purpose: Initialize Atuin login and sync for chezmoi devcontainer feature
 
-KEEP_GOING="${KEEP_GOING:-false}"
+KEEP_GOING="__KEEP_GOING_PLACEHOLDER__"
 
-if [[ "\${KEEP_GOING}" == "true" ]]; then
+if [[ "${KEEP_GOING}" == "true" ]]; then
   set +o errexit +o nounset +o pipefail
 else
   set -o errexit -o nounset -o pipefail
 fi
 set -x
 
-ATUIN_USER="${ATUIN_USER}"
-ATUIN_PASSWORD="${ATUIN_PASSWORD}"
-ATUIN_KEY="${ATUIN_KEY}"
-
-# exit if required environment variables are not set
-if [ -n "\${ATUIN_USER}" ] && [ -n "\${ATUIN_PASSWORD}" ] && [ -n "\${ATUIN_KEY}" ]; then
-    # If /.persist-shell-history exists, we assume that the user wants to persist also the atuin history
-    if [ -d "/.persist-shell-history" ]; then
-        if [ -d ~/.local/share/atuin ]; then
-            mv ~/.local/share/atuin ~/.local/share/atuin.bak
-        fi
-        mkdir -p /.persist-shell-history/atuin
-        mkdir -p ~/.local/share
-        ln -s -f /.persist-shell-history/atuin ~/.local/share/atuin
-    fi
-
-    atuin login --username "\${ATUIN_USER}" --password "\${ATUIN_PASSWORD}" --key "\${ATUIN_KEY}" || true
-    atuin sync
+ATUIN_USER="__ATUIN_USER_PLACEHOLDER__"
+ATUIN_PASSWORD="__ATUIN_PASSWORD_PLACEHOLDER__"
+ATUIN_KEY="__ATUIN_KEY_PLACEHOLDER__"
+
+if [[ -z "${ATUIN_USER}" || -z "${ATUIN_PASSWORD}" || -z "${ATUIN_KEY}" ]]; then
+  echo "Atuin credentials not configured; skipping atuin initialization"
+  exit 0
 fi
 
-if [[ "\${KEEP_GOING}" == "true" ]]; then
+# If /.persist-shell-history exists, we assume that the user wants to persist also the atuin history.
+if [[ -d "/.persist-shell-history" ]]; then
+  if [[ -d "${HOME}/.local/share/atuin" && ! -L "${HOME}/.local/share/atuin" ]]; then
+    mv "${HOME}/.local/share/atuin" "${HOME}/.local/share/atuin.bak"
+  fi
+
+  mkdir -p "/.persist-shell-history/atuin"
+  mkdir -p "${HOME}/.local/share"
+  ln -sfn "/.persist-shell-history/atuin" "${HOME}/.local/share/atuin"
+fi
+
+if ! command -v atuin >/dev/null 2>&1; then
+  echo "Atuin credentials are configured, but atuin is not installed. Skipping login and sync." >&2
+  exit 0
+fi
+
+atuin login --username "${ATUIN_USER}" --password "${ATUIN_PASSWORD}" --key "${ATUIN_KEY}" || true
+atuin sync
+
+if [[ "${KEEP_GOING}" == "true" ]]; then
   exit 0
 fi
 EOF
 
+KEEP_GOING_ESCAPED="$(escape_sed_replacement "${KEEP_GOING:-false}")"
+ATUIN_USER_ESCAPED="$(escape_sed_replacement "${ATUIN_USER:-}")"
+ATUIN_PASSWORD_ESCAPED="$(escape_sed_replacement "${ATUIN_PASSWORD:-}")"
+ATUIN_KEY_ESCAPED="$(escape_sed_replacement "${ATUIN_KEY:-}")"
+
+sed -i \
+  -e "s|__KEEP_GOING_PLACEHOLDER__|${KEEP_GOING_ESCAPED}|g" \
+  -e "s|__ATUIN_USER_PLACEHOLDER__|${ATUIN_USER_ESCAPED}|g" \
+  -e "s|__ATUIN_PASSWORD_PLACEHOLDER__|${ATUIN_PASSWORD_ESCAPED}|g" \
+  -e "s|__ATUIN_KEY_PLACEHOLDER__|${ATUIN_KEY_ESCAPED}|g" \
+  "$INIT_ATUIN_SCRIPT_PATH"
+
 chmod 755 "$INIT_ATUIN_SCRIPT_PATH"
 
 echo "Done"
diff --git a/test/chezmoi/scenarios.json b/test/chezmoi/scenarios.json
@@ -9,7 +9,10 @@
                 "username": "octocat"
             },
             "chezmoi": {
-                "dotfiles_repo": "twpayne/dotfiles"
+                "dotfiles_repo": "twpayne/dotfiles",
+                "atuin_user": "octocat",
+                "atuin_password": "dummy-token",
+                "atuin_key": "dummy key for feature testing"
             }
         },
         "remoteUser": "octocat"
diff --git a/test/chezmoi/test.sh b/test/chezmoi/test.sh
@@ -41,6 +41,9 @@ source dev-container-features-test-lib
 # The 'check' command comes from the dev-container-features-test-lib. Syntax is...
 # check <LABEL> <cmd> [args...]
 check "validate if chezmoi command is installed" chezmoi --version
+check "validate if chezmoi Atuin init script exists" test -x /usr/local/share/chezmoi-atuin-init.sh
+# shellcheck disable=SC2016
+check "validate if chezmoi has been initialized for the current user" sh -c 'source_path=$(chezmoi source-path) && [ -n "$source_path" ] && [ -d "$source_path" ]'
 
 # Report result
 # If any of the checks above exited with a non-zero exit code, the test will fail.

Original file line number	Diff line number	Diff line change
`@@ -1,7 +1,7 @@`
`1`	`1`	`{`
`2`	`2`	`"name": "chezmoi",`
`3`	`3`	`"id": "chezmoi",`
`4`		`- "version": "1.6.2",`
	`4`	`+ "version": "1.6.3",`
`5`	`5`	`"description": "Install chezmoi",`
`6`	`6`	`"documentationURL": "https://github.com/ckagerer/devcontainer-features/tree/main/src/chezmoi",`
`7`	`7`	`"options": {`