fix CI: fmt, skip migrate readonly test as root, fix container shell

- Run cargo fmt on skip_if_root() blocks
- Add skip_if_root() to migrate_atomic_version_unchanged_on_write_failure
- Add libc dev-dependency to karapace-store for root check
- Remove explicit shell: sh from container rustup steps (OCI exec
  can't find sh in PATH; default run shell works)

.github/workflows/ci.yml

@@ -67,9 +67,9 @@ jobs:
         run: zypper install -y gcc make curl gzip tar xz
       - name: Install Rust (container)
         if: matrix.container != ''
-        shell: sh
         run: |
-          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_TOOLCHAIN --profile minimal
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${{ env.RUST_TOOLCHAIN }} --profile minimal
+          . "$HOME/.cargo/env"
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - uses: dtolnay/rust-toolchain@stable
         if: matrix.container == ''
@@ -150,9 +150,9 @@ jobs:
       - name: Install prerequisites
         run: ${{ matrix.setup }}
       - name: Install Rust
-        shell: sh
         run: |
-          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain $RUST_TOOLCHAIN --profile minimal
+          curl --proto '=https' --tlsv1.2 -sSf https://sh.rustup.rs | sh -s -- -y --default-toolchain ${{ env.RUST_TOOLCHAIN }} --profile minimal
+          . "$HOME/.cargo/env"
           echo "$HOME/.cargo/bin" >> $GITHUB_PATH
       - uses: Swatinem/rust-cache@v2
       - name: Enable user namespaces

Cargo.lock

@@ -1198,6 +1198,7 @@ dependencies = [
  "chrono",
  "fs2",
  "karapace-schema",
+ "libc",
  "serde",
  "serde_json",
  "tar",

crates/karapace-core/tests/integration.rs

@@ -1379,7 +1379,9 @@ fn gc_is_idempotent_after_partial_run() {
 // M6.2: Object read fails gracefully on permission denied
 #[test]
 fn object_get_fails_on_permission_denied() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let layout = StoreLayout::new(store.path());
     layout.initialize().unwrap();
@@ -1401,7 +1403,9 @@ fn object_get_fails_on_permission_denied() {
 // M6.2: Metadata write fails gracefully on read-only store
 #[test]
 fn metadata_put_fails_on_read_only_dir() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let layout = StoreLayout::new(store.path());
     layout.initialize().unwrap();
@@ -1605,7 +1609,9 @@ fn stale_running_marker_cleaned_on_engine_new() {
 
 #[test]
 fn build_on_readonly_objects_dir_returns_error() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let project = tempfile::tempdir().unwrap();
 
@@ -1630,7 +1636,9 @@ fn build_on_readonly_objects_dir_returns_error() {
 
 #[test]
 fn build_on_readonly_metadata_dir_returns_error() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let project = tempfile::tempdir().unwrap();
 
@@ -1653,7 +1661,9 @@ fn build_on_readonly_metadata_dir_returns_error() {
 
 #[test]
 fn commit_on_readonly_layers_dir_returns_error() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let project = tempfile::tempdir().unwrap();
     let engine = Engine::new(store.path());
@@ -1692,7 +1702,9 @@ fn commit_on_readonly_layers_dir_returns_error() {
 
 #[test]
 fn write_failure_never_panics() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let layout = StoreLayout::new(store.path());
     layout.initialize().unwrap();
@@ -2114,7 +2126,9 @@ backend = "mock"
 
 #[test]
 fn wal_write_fails_on_readonly_dir() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let layout = StoreLayout::new(store.path());
     layout.initialize().unwrap();
@@ -2138,7 +2152,9 @@ fn wal_write_fails_on_readonly_dir() {
 
 #[test]
 fn build_fails_cleanly_when_wal_dir_is_readonly() {
-    if skip_if_root() { return; }
+    if skip_if_root() {
+        return;
+    }
     let store = tempfile::tempdir().unwrap();
     let project = tempfile::tempdir().unwrap();
 

crates/karapace-store/Cargo.toml

@@ -20,3 +20,6 @@ chrono.workspace = true
 tar.workspace = true
 tracing.workspace = true
 karapace-schema = { path = "../karapace-schema" }
+
+[dev-dependencies]
+libc.workspace = true

crates/karapace-store/tests/migration.rs

@@ -218,6 +218,12 @@ fn migrate_rejects_future_version() {
 fn migrate_atomic_version_unchanged_on_write_failure() {
     use std::os::unix::fs::PermissionsExt;
 
+    // Root bypasses filesystem permission checks — skip in containers
+    #[allow(unsafe_code)]
+    if unsafe { libc::getuid() } == 0 {
+        return;
+    }
+
     let dir = tempfile::tempdir().unwrap();
     create_v1_store(dir.path(), 1);