Before tarring site, set file read permissions #34
Conversation
Pages DFS needs the "group read" permission set on any file it serves, so add read permission before tarring to prevent unreadable files from being deployed. This only applies to files that are built on an actions runner, not files that are cloned from a git repoitory, because git's permissions are limited to the equivalents of chmod 644 and 755.
|
Should we parse the output and issue warnings? The more I think about it the more I see it needing eventually to become a JavaScript Action 🙃 |
|
added warnings, they look like this
|
| @@ -17,6 +17,10 @@ runs: | |||
| shell: sh | |||
| if: runner.os == 'Linux' | |||
| run: | | |||
| for f in $(chmod -c -R +r . | awk '{print substr($3, 2, length($3)-2)}') | |||
There was a problem hiding this comment.
If a filename has a blank in it, this'll pick up only the part of the name before the blank; a slightly more robust way could be to use ' as the field separator and loop over entire lines instead of splitting on words:
chmod -c -R +r . | awk -F\' '{ print $2 }' \
| while IFS= read -r f; do
echo "::warning::Added read permission to $f"
donebut that breaks if the filename contains quotes. With GNU grep, a solution that should be able to handle all characters in filenames could look like
chmod -c -R +r . | grep -Po '^mode of (["'\''])\K.*(?=\1 changed from \d+)'handling blanks, single and double quotes, and newlines in filenames, printing like
./subdir/file
./file'$'\n''newline
./file"'\''quotes
./file'quote
./has spacebut that would require to rewrite the loop to
chmod -c -R +r . \
| grep -Po '^mode of (["'\''])\K.*(?=\1 changed from \d+)' \
| while IFS= read -r f; do
echo "::warning::Added read permission to $f"
doneThis still works in sh, but I understand the action tries to support more limited environments like busybox, where grep won't have the -P option.
Probably not super important because it only affects the warning message, not the actual chmod operation, but I thought I'd point it out.
There was a problem hiding this comment.
Or maybe avoid all parsing and have the entire output from chmod go into the warning?
There was a problem hiding this comment.
Kind of like the suggestion of not parsing at all and just wrapping the output in a warning 👍
Adds read permission before tarring to prevent unreadable files from being deployed. This only affects files that are built on an actions runner, not files that are cloned from a git repoitory, because git's permissions are limited to the equivalents of chmod 644 and 755.
Uses
gchmodon mac to conform withchmodon gnu/linux.