When testing a shellscript worker, it may be necessary to check for the presence or content of the out/errors/error.json and out/errors/type.txt output files defined by the ShellScriptWorker.prepareMetadata() function. A test script should have the ability to open these files for reading, in the same way that the out/rendition0.png file can be read.
Actual Behaviour
However, when running npm test in a CI environment under a different user than the docker daemon, the asset-compute plugin fails to ensure that the out/errors directory is pre-created with the execute bit allowed for everyone, which makes it possible for the docker user to create it with a more restrictive umask, leading to a situation like this:
In the above example, even though the errors/ directory and its children are readable by everyone, the lack of the execute bit makes it impossible for the circleci user to open the directory to read the contents of those nested files.
Reproduce Scenario (including but not limited to)
Set up a circleci pipeline using the default machine (linux) runner, where the docker agent is running as circleci-admin and the shell is running as circleci.
Run npm test on a shellscript worker project where worker.sh writes content to either $errorfile or $typefile, for example:
Expected Behaviour
When testing a shellscript worker, it may be necessary to check for the presence or content of the
out/errors/error.json
andout/errors/type.txt
output files defined by the ShellScriptWorker.prepareMetadata() function. A test script should have the ability to open these files for reading, in the same way that theout/rendition0.png
file can be read.Actual Behaviour
However, when running npm test in a CI environment under a different user than the docker daemon, the asset-compute plugin fails to ensure that the
out/errors
directory is pre-created with the execute bit allowed for everyone, which makes it possible for the docker user to create it with a more restrictive umask, leading to a situation like this:In the above example, even though the
errors/
directory and its children are readable by everyone, the lack of the execute bit makes it impossible for thecircleci
user to open the directory to read the contents of those nested files.Reproduce Scenario (including but not limited to)
machine
(linux) runner, where the docker agent is running ascircleci-admin
and the shell is running ascircleci
.npm test
on a shellscript worker project where worker.sh writes content to either$errorfile
or$typefile
, for example:out/errors/type.txt
file in thevalidate
scriptPlatform and Version
@adobe/aio-cli-plugin-asset-compute 1.5.0
Links