internal/pkg: override working directory perms

This must be writable to enable renaming, and the final result is conventionally read-only alongside the entire directory contents. This change overrides the permission bits as part of Store. Signed-off-by: Ophestra <cat@gensokyo.uk>
2026-01-04 00:55:23 +09:00
parent bd0ef086b1
commit fa93476896
3 changed files with 12 additions and 4 deletions
--- a/internal/pkg/dir_test.go
+++ b/internal/pkg/dir_test.go
@@ -123,7 +123,7 @@ func TestFlatten(t *testing.T) {
 			".": {Mode: fs.ModeDir | 0700},

 			"checksum": {Mode: fs.ModeDir | 0700},
-			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0700},
+			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP":                {Mode: fs.ModeDir | 0500},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check":          {Mode: 0400, Data: []byte{0, 0}},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib":            {Mode: fs.ModeDir | 0700},
 			"checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/pkgconfig":  {Mode: fs.ModeDir | 0700},
@@ -138,7 +138,7 @@ func TestFlatten(t *testing.T) {
 			{Mode: fs.ModeDir | 0700, Path: "."},

 			{Mode: fs.ModeDir | 0700, Path: "checksum"},
-			{Mode: fs.ModeDir | 0700, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
+			{Mode: fs.ModeDir | 0500, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP"},
 			{Mode: 0400, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/check", Data: []byte{0, 0}},
 			{Mode: fs.ModeDir | 0700, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib"},
 			{Mode: fs.ModeSymlink | 0777, Path: "checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP/lib/libedac.so", Data: []byte("/proc/nonexistent/libedac.so")},
@@ -149,7 +149,7 @@ func TestFlatten(t *testing.T) {
 			{Mode: fs.ModeSymlink | 0777, Path: "identifier/Zx5ZG9BAwegNT3zQwCySuI2ktCXxNgxirkGLFjW4FW06PtojYVaCdtEw8yuntPLa", Data: []byte("../checksum/1TL00Qb8dcqayX7wTO8WNaraHvY6b-KCsctLDTrb64QBCmxj_-byK1HdIUwMaFEP")},

 			{Mode: fs.ModeDir | 0700, Path: "work"},
-		}, pkg.MustDecode("N7dntFYbOq9V4iC-rjAQ-By6ofPIQVZkA8V0r0G07M_sdB7Zh42Ttrspsc38ioYa")},
+		}, pkg.MustDecode("8OP6YxJAdRrhV2WSBt1BPD7oC_n2Qh7JqUMyVMoGvjDX83bDqq2hgVMNcdiBH_64")},
 	}
 	for _, tc := range testCases {
 		t.Run(tc.name, func(t *testing.T) {
--- a/internal/pkg/pkg.go
+++ b/internal/pkg/pkg.go
@@ -259,6 +259,11 @@ func (c *Cache) Store(
 	if err = makeArtifact(workPathname); err != nil {
 		return
 	}
+	// override this before hashing since it will be made read-only after the
+	// rename anyway so do not let perm bits affect the checksum
+	if err = os.Chmod(workPathname.String(), 0700); err != nil {
+		return
+	}
 	var checksum Checksum
 	if checksum, err = HashDir(workPathname); err != nil {
 		return
@@ -280,7 +285,10 @@ func (c *Cache) Store(
 		if !errors.Is(err, os.ErrExist) {
 			return
 		}
+	} else if err = os.Chmod(checksumPathname.String(), 0500); err != nil {
+		return
 	}
+
 	if linkErr := os.Symlink(
 		"../"+dirChecksum+"/"+path.Base(checksumPathname.String()),
 		pathname.String(),
--- a/internal/pkg/pkg_test.go
+++ b/internal/pkg/pkg_test.go
@@ -455,7 +455,7 @@ func TestCache(t *testing.T) {
 			} else if !store {
 				t.Fatal("Store did not store nonpresent entry")
 			}
-		}, pkg.MustDecode("N7dntFYbOq9V4iC-rjAQ-By6ofPIQVZkA8V0r0G07M_sdB7Zh42Ttrspsc38ioYa")},
+		}, pkg.MustDecode("8OP6YxJAdRrhV2WSBt1BPD7oC_n2Qh7JqUMyVMoGvjDX83bDqq2hgVMNcdiBH_64")},
 	}
 	checkWithCache(t, testCases)
 }