os.CreateTemp in downloadZip creates files with 0600 permissions and as a consequence, after the final os.Rename, the downloaded zip files are left readable only by their owner.
Such restrictive permissions create problems in build/CI environments where go mod download is a separate step and performed under a distinct "download" user. For example, it makes it impossible to do go mod verify during the build stage, if the build stage is executed under a "build" user that is distinct from the "download" user.
It's doesn't seem that making cached zip files readable by "group" and "others" (0644) would compromise cache integrity, but it would fix the above issue.
The text was updated successfully, but these errors were encountered: