Move exit-condition script to expected URL path + persistent marker#3
Merged
george-elphick-talieisin merged 1 commit intoMay 13, 2026
Merged
Conversation
The SecondSon Baseline lifecycle script reference rendered by the Terraform secondson-baseline mobileconfig expects the script at: https://raw.githubusercontent.com/Talieisin/macos-scripts/main/scripts/lib/exit-condition.sh Previously the script lived at config/baseline_exit_condition.sh, so production ADE devices got 404s on download and Baseline's lifecycle Scripts array reported "Script does not exist" / "Script download error". This commit: - Renames config/baseline_exit_condition.sh -> scripts/lib/exit-condition.sh - Changes the marker file path from /usr/local/Baseline/baseline_exit_condition (which Baseline's CleanupAfterUse=true deletes immediately after the successful run) to /var/db/.talieisin-baseline-complete (persists across reboots; cleared on device wipe -> correct re-run behaviour on re-enrolment). The marker path is the source of truth used by both the Baseline ExitCondition mechanism (config delivered via mobileconfig) and the defense-in-depth Phase 3 short-circuit in bootstrap.sh. Must stay byte-identical to scripts/lib/exit-condition.sh in the Talieisin/intune working tree -- the Terraform-rendered SecondSon mobileconfig pins the script's MD5, so any drift makes Baseline reject the download.
There was a problem hiding this comment.
Pull request overview
This PR updates the SecondSon Baseline “exit condition” script to write a persistent completion marker outside Baseline’s cleanup directory so Baseline can reliably short-circuit on subsequent runs.
Changes:
- Expanded header documentation clarifying ordering requirements and why the marker must live outside
/usr/local/Baseline/. - Changed the marker file path to
/var/db/.talieisin-baseline-completeso it persists across Baseline cleanup.
Comments suppressed due to low confidence (1)
scripts/lib/exit-condition.sh:5
- PR description says this change renames/moves the script from
config/baseline_exit_condition.shtoscripts/lib/exit-condition.shso it can be fetched from the expected raw GitHub URL, but this PR diff only updates content withinscripts/lib/exit-condition.shand does not include a file move/rename. If the move is still required for production to stop 404s, please include it in this PR (or update the PR description if it already happened elsewhere).
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.
Why
The SecondSon Baseline lifecycle script reference rendered by the Terraform
secondson-baseline.mobileconfig.tplexpects the script at:Previously the script lived at
config/baseline_exit_condition.sh, so production ADE devices got 404s on download and Baseline's lifecycle Scripts array reported "Script does not exist" / "Script download error". Test framework saw it too asnot ok 14 Baseline apps installed successfully (no failures).Changes
config/baseline_exit_condition.sh→scripts/lib/exit-condition.sh(git tracks as rename)/usr/local/Baseline/baseline_exit_condition(which Baseline'sCleanupAfterUse=truedeletes immediately after the successful run, defeating the whole mechanism) to/var/db/.talieisin-baseline-complete/var/db/persists across reboots and Baseline's own cleanupsudo rm→ escape hatch for IT supportCoupled changes in Talieisin/intune (will land separately)
The marker path is now the single source of truth referenced from two places in the intune working tree:
var.baseline_exit_conditiondefault → rendered asExitConditionin SecondSon mobileconfig (Baseline checks before doing anything)bootstrap.shPhase 3 short-circuit → skips pkg install + Baseline launch entirely if marker exists (defense-in-depth)Both will point at
/var/db/.talieisin-baseline-completeto match this script.Important
This file must stay byte-identical to
scripts/lib/exit-condition.shin the Talieisin/intune working tree. The Terraform-rendered SecondSon mobileconfig pins the script's MD5, so any drift makes Baseline reject the download. Current MD5:2e6894a49ca224e4bab4a9e0e2fe88f2.Test plan