From 8bfd9750da8ff16a5ac0ce092ffe0fa0fae604ac Mon Sep 17 00:00:00 2001
From: Oliver Breitwieser <oliver@breitwieser.eu>
Date: Sun, 20 Oct 2024 17:53:15 +0200
Subject: [PATCH] pnpm.fetchDeps: ensure consistent permissions after fetching

For reasons not yet completely understood, `pnpm` might create
dependency files with inconsistent file permissions.

Since file permissions are stored in the NAR-archive used to derive the
hash of a fixed output derivation, this leads to inconsistencies
depending on where a derivation is built.

Hence, we ensure a consistent file permission scheme:
* All files with `-exec` suffix have 555.
* All other files have 444.
* All folders have 555.

This schema was chosen because it as already upheld in most environments
we tested.
---
 pkgs/development/tools/pnpm/fetch-deps/default.nix | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/pkgs/development/tools/pnpm/fetch-deps/default.nix b/pkgs/development/tools/pnpm/fetch-deps/default.nix
index 971f1656ba924..1a55b1a19f647 100644
--- a/pkgs/development/tools/pnpm/fetch-deps/default.nix
+++ b/pkgs/development/tools/pnpm/fetch-deps/default.nix
@@ -97,6 +97,18 @@
               jq --sort-keys "del(.. | .checkedAt?)" $f | sponge $f
             done
 
+            # NOTE: For reasons not yet known, pnpm might create files with
+            # inconsistent permissions, for example inside the ubuntu-24.04
+            # github actions runner.
+            # To ensure stable derivations, we need to set permissions
+            # consistently, namely:
+            # * All files with `-exec` suffix have 555.
+            # * All other files have 444.
+            # * All folders have 555.
+            find $out -type f -name "*-exec" -print0 | xargs -0 chmod 555
+            find $out -type f -not -name "*-exec" -print0 | xargs -0 chmod 444
+            find $out -type d -print0 | xargs -0 chmod 555
+
             runHook postFixup
           '';