Skip to content

Commit 8a3991c

Browse files
committed
test(ci): keep cache dir traversable so restore verification can read files
Previous run proved the round-trip works (50.06MB saved → 50.06MB restored, exact match) but the assertion failed because chmod -R 0600 stripped the directory's execute bit, locking the runner out of its own restored files. Real container caches have 0755 dirs. Keep the dir 0755, only the files 0600 root-owned.
1 parent ed159d7 commit 8a3991c

1 file changed

Lines changed: 7 additions & 2 deletions

File tree

.github/workflows/verify-cache.yml

Lines changed: 7 additions & 2 deletions
Original file line numberDiff line numberDiff line change
@@ -20,11 +20,16 @@ jobs:
2020
sudo mkdir -p "$D"
2121
echo "secret-from-root-$(date +%s%N)" | sudo tee "$D/marker.txt" > /dev/null
2222
sudo dd if=/dev/urandom of="$D/blob.bin" bs=1M count=50 status=none
23-
sudo chmod -R 0600 "$D"
2423
sudo chown -R root:root "$D"
24+
# Directory stays traversable (0755) — like a real container-
25+
# written cache dir. Files are 0600 root-owned so the runner
26+
# genuinely cannot read their contents at save time.
27+
sudo chmod 0755 "$D"
28+
sudo chmod 0600 "$D/marker.txt" "$D/blob.bin"
2529
echo "=== planted (measured as root) ==="
2630
sudo du -sh "$D"
27-
echo "=== runner trying to read marker (should be denied) ==="
31+
echo "=== runner can list the dir but not read the file ==="
32+
ls -la "$D"
2833
cat "$D/marker.txt" 2>&1 || echo "expected: permission denied"
2934
# The action's post-step runs here and saves ~/.cache via sudo tar.
3035

0 commit comments

Comments
 (0)