pnpm.fetchDeps: ensure consistent permissions after fetching

For reasons not yet completely understood, `pnpm` might create dependency files with inconsistent file permissions. Since file permissions are stored in the NAR-archive used to derive the hash of a fixed output derivation, this leads to inconsistencies depending on where a derivation is built. Hence, we ensure a consistent file permission scheme: * All files with `-exec` suffix have 555. * All other files have 444. * All folders have 555. This schema was chosen because it as already upheld in most environments we tested.
NixOS · Dec 1, 2024 · 8bfd975 · 8bfd975
1 parent 2c27ab2
commit 8bfd975
Showing 1 changed file with 12 additions and 0 deletions.
diff --git a/pkgs/development/tools/pnpm/fetch-deps/default.nix b/pkgs/development/tools/pnpm/fetch-deps/default.nix
@@ -97,6 +97,18 @@
               jq --sort-keys "del(.. | .checkedAt?)" $f | sponge $f
             done
 
+            # NOTE: For reasons not yet known, pnpm might create files with
+            # inconsistent permissions, for example inside the ubuntu-24.04
+            # github actions runner.
+            # To ensure stable derivations, we need to set permissions
+            # consistently, namely:
+            # * All files with `-exec` suffix have 555.
+            # * All other files have 444.
+            # * All folders have 555.
+            find $out -type f -name "*-exec" -print0 | xargs -0 chmod 555
+            find $out -type f -not -name "*-exec" -print0 | xargs -0 chmod 444
+            find $out -type d -print0 | xargs -0 chmod 555
+
             runHook postFixup
           '';