Skip to content

fix: set standard file permissions on Nix-built release binaries#7255

Merged
adamwg merged 2 commits into
crossplane:mainfrom
adamkasztenny:fix/nix-binary-permissions
Apr 6, 2026
Merged

fix: set standard file permissions on Nix-built release binaries#7255
adamwg merged 2 commits into
crossplane:mainfrom
adamkasztenny:fix/nix-binary-permissions

Conversation

@adamkasztenny
Copy link
Copy Markdown
Contributor

@adamkasztenny adamkasztenny commented Mar 30, 2026
edited
Loading

Summary

  • Files copied from the Nix store inherit its read-only permissions (r-xr-xr-x / 555 for executables, r--r--r-- / 444 for regular files), unlike the previous Earthly build which produced standard rwxr-xr-x / 755 and rw-r--r-- / 644 permissions.
  • The read-only permissions inside crank.tar.gz cause install.sh to fail at rm "${BIN}.sha256" (line 92) because rm prompts for confirmation on write-protected files, which fails in non-interactive CI environments (with set -e).
  • This adds chmod 755 / chmod 644 after copying from the Nix store in both crankBundle and the release function, restoring the permissions that the Earthly build produced.

Testing

Current (Nix-built) vs previous (Earthly-built) tarball permissions:

$ tar -tvf crank-v2.2.0.tar.gz   # Nix-built (current)
-r-xr-xr-x  0 nixbld nixbld 69397176 Feb 17 17:02 crank
-r--r--r--  0 nixbld nixbld       64 Feb 17 17:02 crank.sha256

$ tar -tvf crank-v1.19.0.tar.gz  # Earthly-built (previous)
-rwxr-xr-x  0 root   root 61075608 Feb 11  2025 crank
-rw-r--r--  0 root   root       64 Feb 11  2025 crank.sha256

Reproducing the failure (non-root user, TTY attached — as in some CI runners):

$ tar xzf crank.tar.gz  # Nix-built
$ ls -la crank.sha256
-r--r--r-- 1 testuser testuser 64 Feb 17 22:02 crank.sha256
# Feb 17th was the v2.2.0 release date: https://github.com/crossplane/crossplane/releases/tag/v2.2.0

$ script -qc "rm crank.sha256 crank.tar.gz" /dev/null </dev/null
rm: remove write-protected regular file 'crank.sha256'?
# No input → file NOT removed → install.sh exits via set -eu
$ ls -la crank.sha256
-r--r--r-- 1 testuser testuser 64 Feb 17 22:02 crank.sha256

After applying the fix (chmod 755/644 before tar):

$ tar -tvf crank-fixed.tar.gz
-rwxr-xr-x  0 adamkasztenny wheel 69397176 Feb 17 17:02 crank
-rw-r--r--  0 adamkasztenny wheel       64 Feb 17 17:02 crank.sha256

End-to-end install.sh simulation (non-root, TTY, set -eu):

$ set -eu
$ tar xzf crank.tar.gz
-rwxr-xr-x 1 testuser testuser 69397176 Feb 17 22:02 crank
-rw-r--r-- 1 testuser testuser       64 Feb 17 22:02 crank.sha256
$ mv crank crossplane
$ rm crank.sha256 crank.tar.gz    # succeeds — files are now writable
$ chmod +x crossplane
$ ls -la crossplane
-rwxr-xr-x 1 testuser testuser 69397176 Feb 17 22:02 crossplane

I have:

  • Read and followed Crossplane's contribution process.
  • Run ./nix.sh flake check to ensure this PR is ready for review. (Nix not available locally; relying on CI)
  • Added or updated unit tests. (No unit tests for build scripts; verified manually above)
  • Added or updated e2e tests. (Not applicable — build system change only)
  • Linked a PR or a docs tracking issue to document this change. (No user-facing docs change needed)
  • Added backport release-x.y labels to auto-backport this PR. (Should be backported to release-2.2 — maintainer to decide)
  • Followed the API promotion workflow if this PR introduces, removes, or promotes an API. (Not applicable)

🤖 Generated with Claude Code

adamkasztenny and others added 2 commits March 30, 2026 14:22
@adamkasztenny @claude
fix: set standard file permissions on release binaries
4bbaa60 
Files copied from the Nix store inherit its read-only permissions
(555 for executables, 444 for regular files). This differs from the
Earthly build which produced standard 755/644 permissions.

The read-only permissions inside crank.tar.gz cause install.sh to
fail at `rm "${BIN}.sha256"` (line 92) because rm prompts for
confirmation on write-protected files, which fails in non-interactive
CI environments.

Reset permissions to 755 (binaries) and 644 (.sha256 files) after
copying from the Nix store, matching the previous Earthly behavior.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Adam Kasztenny <adam.kasztenny@elastic.co>
@adamkasztenny @claude
fix: use explicit file names in release permission fix
7f9487a 
Avoid globs that could accidentally change permissions on unexpected
files if the build changes later. Use the known binary names with
the correct platform-specific extension instead.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
Signed-off-by: Adam Kasztenny <adam.kasztenny@elastic.co>
@adamkasztenny adamkasztenny force-pushed the fix/nix-binary-permissions branch from 7316ce4 to 7f9487a Compare March 30, 2026 18:23
@adamkasztenny adamkasztenny marked this pull request as ready for review March 30, 2026 18:27
@adamkasztenny adamkasztenny requested a review from a team as a code owner March 30, 2026 18:27
@adamkasztenny adamkasztenny requested a review from adamwg March 30, 2026 18:27
adamwg
adamwg approved these changes Apr 6, 2026
View reviewed changes
Copy link
Copy Markdown
Member

@adamwg adamwg left a comment

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

LGTM, thanks for the change.

@adamwg adamwg merged commit 703a5ba into crossplane:main Apr 6, 2026
22 of 23 checks passed
@jbw976 jbw976 added this to the v2.3 milestone Apr 7, 2026
@BrewTestBot BrewTestBot mentioned this pull request May 21, 2026
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

@adamwg adamwg adamwg approved these changes

Assignees

No one assigned

Labels

None yet

Projects

Crossplane Roadmap
Status: Done

Milestone

v2.3

Development

Successfully merging this pull request may close these issues.

3 participants

@adamkasztenny @adamwg @jbw976