actions/setup-helm
1
0
Fork 0
mirror of https://github.com/Azure/setup-helm.git synced 2026-06-08 21:52:41 +00:00
Code Issues Packages Projects Releases Wiki Activity

fix: use chmod 755 instead of 777 for downloaded helm binary and folder (#278)

Browse Source 
World-writable permissions allow other processes on shared runners to replace the helm binary or inject files between download and execution.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
This commit is contained in:
David Gamero
2026-06-04 19:25:36 -04:00
committed by GitHub
parent 9dad99fe3c
commit 69214f9d74
2 changed files with 7 additions and 7 deletions
Download Patch File Download Diff File Expand all files Collapse all files
src/run.test.ts
+4 -4
View File
@@ -288,11 +288,11 @@ describe('run.ts', () => {
expect(toolCache.downloadTool).toHaveBeenCalledWith( expect(toolCache.downloadTool).toHaveBeenCalledWith(
'https://test.tld/helm-v4.0.0-windows-amd64.zip' 'https://test.tld/helm-v4.0.0-windows-amd64.zip'
) )
expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '777') expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '755')
expect(toolCache.extractZip).toHaveBeenCalledWith('pathToTool') expect(toolCache.extractZip).toHaveBeenCalledWith('pathToTool')
expect(fs.chmodSync).toHaveBeenCalledWith( expect(fs.chmodSync).toHaveBeenCalledWith(
path.join('pathToCachedDir', 'helm.exe'), path.join('pathToCachedDir', 'helm.exe'),
'777' '755'
) )
}) })
@@ -335,7 +335,7 @@ describe('run.ts', () => {
expect(toolCache.find).toHaveBeenCalledWith('helm', 'v3.2.1') expect(toolCache.find).toHaveBeenCalledWith('helm', 'v3.2.1')
expect(fs.chmodSync).toHaveBeenCalledWith( expect(fs.chmodSync).toHaveBeenCalledWith(
path.join('pathToCachedDir', 'helm.exe'), path.join('pathToCachedDir', 'helm.exe'),
'777' '755'
) )
}) })
@@ -362,7 +362,7 @@ describe('run.ts', () => {
expect(toolCache.downloadTool).toHaveBeenCalledWith( expect(toolCache.downloadTool).toHaveBeenCalledWith(
'https://test.tld/helm-v3.2.1-windows-amd64.zip' 'https://test.tld/helm-v3.2.1-windows-amd64.zip'
) )
expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '777') expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '755')
expect(toolCache.extractZip).toHaveBeenCalledWith('pathToTool') expect(toolCache.extractZip).toHaveBeenCalledWith('pathToTool')
}) })
}) })
src/run.ts
+3 -3
View File
@@ -105,7 +105,7 @@ export async function downloadHelm(
) )
} }
fs.chmodSync(helmDownloadPath, '777') fs.chmodSync(helmDownloadPath, '755')
const extractedPath = const extractedPath =
getPlatform() === 'windows' getPlatform() === 'windows'
? await toolCache.extractZip(helmDownloadPath) ? await toolCache.extractZip(helmDownloadPath)
@@ -125,12 +125,12 @@ export async function downloadHelm(
) )
} }
fs.chmodSync(helmpath, '777') fs.chmodSync(helmpath, '755')
return helmpath return helmpath
} }
export function findHelm(rootFolder: string): string { export function findHelm(rootFolder: string): string {
fs.chmodSync(rootFolder, '777') fs.chmodSync(rootFolder, '755')
let filelist: string[] = [] let filelist: string[] = []
walkSync(rootFolder, filelist, helmToolName + getExecutableExtension()) walkSync(rootFolder, filelist, helmToolName + getExecutableExtension())
if (!filelist || filelist.length == 0) { if (!filelist || filelist.length == 0) {