🐛 fix(go/v4,helm/v2-alpha): use 0644/0755 for generated files (#5508)

fix(go/v4,helm/v2-alpha): use 0644/0755 for generated files

Author: camilamacedo86

.github/workflows/lint.yml

@@ -36,6 +36,8 @@ jobs:
         run: make install-helm
       - name: Run yamllint (YAML + Helm chart output 2-space indentation)
         run: make yamllint
+      - name: Check sample permissions
+        run: make check-sample-permissions
 
   license:
     runs-on: ubuntu-latest

.gitignore

@@ -32,4 +32,4 @@ docs/book/src/docs
 ## Skip testdata files that generate by tests using TestContext
 **/e2e-*/**
 # Optional rendered chart output (e.g. from make yamllint-helm when debugging)
-testdata/.helm-rendered.yaml
+testdata/.helm-rendered.yaml

Makefile

@@ -132,6 +132,20 @@ yamllint-helm:
 	  docker run --rm -i -v $(PWD):/data -w /data cytopia/yamllint:latest -c .yamllint-helm --no-warnings - || (echo "yamllint-helm: $$chart failed"; exit 1); \
 	done
 
+# All Kubebuilder-generated samples (go/v4, kustomize, helm use machinery defaults 0755/0644).
+SAMPLE_ROOTS := testdata \
+	docs/book/src/getting-started/testdata \
+	docs/book/src/cronjob-tutorial/testdata \
+	docs/book/src/multiversion-tutorial/testdata
+
+.PHONY: check-sample-permissions
+check-sample-permissions: ## Fail if any file/dir under testdata or docs samples has wrong permissions (expect 0644/0755). bin/ excluded.
+	@for d in $(SAMPLE_ROOTS); do \
+		test -d "$$d" || continue; \
+		bad=$$(find "$$d" -path '*/bin' -prune -o \( \( -type f ! -perm 0644 \) -o \( -type d ! -perm 0755 \) \) -print 2>/dev/null); \
+		if [ -n "$$bad" ]; then echo "Invalid permissions under $$d (expect 0644/0755):"; echo "$$bad"; exit 1; fi; \
+	done
+
 .PHONY: golangci-lint
 golangci-lint:
 	$(call go-install-tool,$(GOLANGCI_LINT),github.com/golangci/golangci-lint/v2/cmd/golangci-lint,${GOLANGCI_LINT_VERSION})

pkg/cli/cli.go

@@ -310,7 +310,7 @@ func patchProjectFileInMemoryIfNeeded(fs afero.Fs, path string) error {
 	}
 
 	if modified != original {
-		err := afero.WriteFile(fs, path, []byte(modified), 0o755)
+		err := afero.WriteFile(fs, path, []byte(modified), machinery.DefaultFilePermission)
 		if err != nil {
 			return fmt.Errorf("failed to write patched PROJECT file: %w", err)
 		}

pkg/config/store/yaml/store.go

@@ -144,7 +144,7 @@ func (s yamlStore) SaveTo(path string) error {
 	content = append([]byte(commentStr), content...)
 
 	// Write the marshalled configuration
-	err = afero.WriteFile(s.fs, path, content, 0o600)
+	err = afero.WriteFile(s.fs, path, content, machinery.DefaultFilePermission)
 	if err != nil {
 		return store.SaveError{Err: fmt.Errorf("failed to save configuration to %q: %w", path, err)}
 	}

pkg/machinery/scaffold.go

@@ -38,8 +38,11 @@ import (
 const (
 	createOrUpdate = os.O_WRONLY | os.O_CREATE | os.O_TRUNC
 
-	defaultDirectoryPermission os.FileMode = 0o700
-	defaultFilePermission      os.FileMode = 0o600
+	// DefaultDirectoryPermission and DefaultFilePermission are used so generated
+	// files work in shared and container workflows. Use them when writing scaffolded
+	// or config files for consistency.
+	DefaultDirectoryPermission os.FileMode = 0o755
+	DefaultFilePermission      os.FileMode = 0o644
 )
 
 var options = imports.Options{
@@ -69,8 +72,8 @@ type ScaffoldOption func(*Scaffold)
 func NewScaffold(fs Filesystem, options ...ScaffoldOption) *Scaffold {
 	s := &Scaffold{
 		fs:       fs.FS,
-		dirPerm:  defaultDirectoryPermission,
-		filePerm: defaultFilePermission,
+		dirPerm:  DefaultDirectoryPermission,
+		filePerm: DefaultFilePermission,
 	}
 
 	for _, option := range options {

pkg/machinery/scaffold_test.go

@@ -31,8 +31,8 @@ var _ = Describe("Scaffold", func() {
 		It("should succeed for no option", func() {
 			s := NewScaffold(Filesystem{FS: afero.NewMemMapFs()})
 			Expect(s.fs).NotTo(BeNil())
-			Expect(s.dirPerm).To(Equal(defaultDirectoryPermission))
-			Expect(s.filePerm).To(Equal(defaultFilePermission))
+			Expect(s.dirPerm).To(Equal(DefaultDirectoryPermission))
+			Expect(s.filePerm).To(Equal(DefaultFilePermission))
 			Expect(s.injector.config).To(BeNil())
 			Expect(s.injector.boilerplate).To(Equal(""))
 			Expect(s.injector.resource).To(BeNil())
@@ -44,7 +44,7 @@ var _ = Describe("Scaffold", func() {
 			s := NewScaffold(Filesystem{FS: afero.NewMemMapFs()}, WithDirectoryPermissions(dirPermissions))
 			Expect(s.fs).NotTo(BeNil())
 			Expect(s.dirPerm).To(Equal(dirPermissions))
-			Expect(s.filePerm).To(Equal(defaultFilePermission))
+			Expect(s.filePerm).To(Equal(DefaultFilePermission))
 			Expect(s.injector.config).To(BeNil())
 			Expect(s.injector.boilerplate).To(Equal(""))
 			Expect(s.injector.resource).To(BeNil())
@@ -55,7 +55,7 @@ var _ = Describe("Scaffold", func() {
 
 			s := NewScaffold(Filesystem{FS: afero.NewMemMapFs()}, WithFilePermissions(filePermissions))
 			Expect(s.fs).NotTo(BeNil())
-			Expect(s.dirPerm).To(Equal(defaultDirectoryPermission))
+			Expect(s.dirPerm).To(Equal(DefaultDirectoryPermission))
 			Expect(s.filePerm).To(Equal(filePermissions))
 			Expect(s.injector.config).To(BeNil())
 			Expect(s.injector.boilerplate).To(Equal(""))
@@ -67,8 +67,8 @@ var _ = Describe("Scaffold", func() {
 
 			s := NewScaffold(Filesystem{FS: afero.NewMemMapFs()}, WithConfig(cfg))
 			Expect(s.fs).NotTo(BeNil())
-			Expect(s.dirPerm).To(Equal(defaultDirectoryPermission))
-			Expect(s.filePerm).To(Equal(defaultFilePermission))
+			Expect(s.dirPerm).To(Equal(DefaultDirectoryPermission))
+			Expect(s.filePerm).To(Equal(DefaultFilePermission))
 			Expect(s.injector.config).NotTo(BeNil())
 			Expect(s.injector.config.GetVersion().Compare(cfgv3.Version)).To(Equal(0))
 			Expect(s.injector.boilerplate).To(Equal(""))
@@ -80,8 +80,8 @@ var _ = Describe("Scaffold", func() {
 
 			s := NewScaffold(Filesystem{FS: afero.NewMemMapFs()}, WithBoilerplate(boilerplate))
 			Expect(s.fs).NotTo(BeNil())
-			Expect(s.dirPerm).To(Equal(defaultDirectoryPermission))
-			Expect(s.filePerm).To(Equal(defaultFilePermission))
+			Expect(s.dirPerm).To(Equal(DefaultDirectoryPermission))
+			Expect(s.filePerm).To(Equal(DefaultFilePermission))
 			Expect(s.injector.config).To(BeNil())
 			Expect(s.injector.boilerplate).To(Equal(boilerplate))
 			Expect(s.injector.resource).To(BeNil())
@@ -97,8 +97,8 @@ var _ = Describe("Scaffold", func() {
 
 			s := NewScaffold(Filesystem{FS: afero.NewMemMapFs()}, WithResource(res))
 			Expect(s.fs).NotTo(BeNil())
-			Expect(s.dirPerm).To(Equal(defaultDirectoryPermission))
-			Expect(s.filePerm).To(Equal(defaultFilePermission))
+			Expect(s.dirPerm).To(Equal(DefaultDirectoryPermission))
+			Expect(s.filePerm).To(Equal(DefaultFilePermission))
 			Expect(s.injector.config).To(BeNil())
 			Expect(s.injector.boilerplate).To(Equal(""))
 			Expect(s.injector.resource).NotTo(BeNil())

pkg/plugins/optional/helm/v2alpha/scaffolds/edit_kustomize.go

@@ -131,7 +131,7 @@ func (s *editKustomizeScaffolder) Scaffold() error {
 	chartConverter := kustomize.NewChartConverter(resources, namePrefix, chartName, s.outputDir)
 	deploymentConfig := chartConverter.ExtractDeploymentConfig()
 
-	// Create scaffold for standard Helm chart files
+	// Create scaffold for standard Helm chart files (uses machinery defaults 0755/0644).
 	scaffold := machinery.NewScaffold(s.fs, machinery.WithConfig(s.config))
 
 	// Define the standard Helm chart files to generate