From e0ffb780f55256bcb76dcdea99bc348bb040e43f Mon Sep 17 00:00:00 2001
From: jo <ljonas@riseup.net>
Date: Sat, 19 Nov 2022 18:55:10 +0100
Subject: [PATCH] ci: fix permissions for build artifacts

- anyone should be able to read and traverse the tree
- not all the files should be executable, only scripts
---
 .gitlab-ci.yml                                | 22 +++++++++++++------
 .../ci-build-artifacts-permissions.misc       |  1 +
 2 files changed, 16 insertions(+), 7 deletions(-)
 create mode 100644 changes/changelog.d/ci-build-artifacts-permissions.misc

diff --git a/.gitlab-ci.yml b/.gitlab-ci.yml
index fceb97f94..be9f0e20e 100644
--- a/.gitlab-ci.yml
+++ b/.gitlab-ci.yml
@@ -299,6 +299,11 @@ build_docs:
 build_front:
   stage: build
   image: node:18-alpine
+  variables:
+    # Keep the git files attributes during job setup
+    GIT_STRATEGY: clone
+    GIT_DEPTH: "5"
+    FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR: "true"
   before_script:
     - apk add --no-cache jq bash coreutils python3
     - cd front
@@ -308,9 +313,8 @@ build_front:
     # this is to ensure we don't have any errors in the output,
     # cf https://dev.funkwhale.audio/funkwhale/funkwhale/issues/169
     - yarn run build:deployment | tee /dev/stderr | (! grep -i 'ERROR in')
-    - chmod -R 755 dist
   artifacts:
-    name: "front_${CI_COMMIT_REF_NAME}"
+    name: front_${CI_COMMIT_REF_NAME}
     paths:
       - front/dist/
   only:
@@ -472,17 +476,21 @@ build_api:
   # Simply publish a zip containing api/ directory
   stage: publish
   image: bash
-  artifacts:
-    name: "api_${CI_COMMIT_REF_NAME}"
-    paths:
-      - api
+  variables:
+    # Keep the git files attributes during job setup
+    GIT_STRATEGY: clone
+    GIT_DEPTH: "5"
+    FF_DISABLE_UMASK_FOR_DOCKER_EXECUTOR: "true"
   script:
     - rm -rf api/tests
     - >
       if [ "$CI_COMMIT_REF_NAME" == "develop" ] || [ "$CI_COMMIT_REF_NAME" == "stable" ]; then
         ./scripts/set-api-build-metadata.sh $(echo $CI_COMMIT_SHA | cut -c 1-8);
       fi
-    - chmod -R 750 api
+  artifacts:
+    name: api_${CI_COMMIT_REF_NAME}
+    paths:
+      - api
   only:
     - tags@funkwhale/funkwhale
     - stable@funkwhale/funkwhale
diff --git a/changes/changelog.d/ci-build-artifacts-permissions.misc b/changes/changelog.d/ci-build-artifacts-permissions.misc
new file mode 100644
index 000000000..5374e4f98
--- /dev/null
+++ b/changes/changelog.d/ci-build-artifacts-permissions.misc
@@ -0,0 +1 @@
+Fix permissions for build artifacts