diff --git a/doc/languages-frameworks/javascript.section.md b/doc/languages-frameworks/javascript.section.md index f91ea3e60e0e..166e0d4c7266 100644 --- a/doc/languages-frameworks/javascript.section.md +++ b/doc/languages-frameworks/javascript.section.md @@ -444,7 +444,7 @@ stdenv.mkDerivation (finalAttrs: { pnpmDeps = pnpm.fetchDeps { inherit (finalAttrs) pname version src; hash = "..."; - fetcherVersion = 1; + fetcherVersion = 2; }; }) ``` @@ -593,6 +593,7 @@ Changes can include workarounds or bug fixes to existing PNPM issues. ##### Version history {#javascript-pnpm-fetcherVersion-versionHistory} - 1: Initial version, nothing special +- 2: [Ensure consistent permissions](https://github.com/NixOS/nixpkgs/pull/422975) ### Yarn {#javascript-yarn} diff --git a/pkgs/development/tools/pnpm/fetch-deps/default.nix b/pkgs/development/tools/pnpm/fetch-deps/default.nix index 3d784c5eab9e..164feec97923 100644 --- a/pkgs/development/tools/pnpm/fetch-deps/default.nix +++ b/pkgs/development/tools/pnpm/fetch-deps/default.nix @@ -118,6 +118,23 @@ in jq --sort-keys "del(.. | .checkedAt?)" $f | sponge $f done + # Ensure consistent permissions + # NOTE: For reasons not yet fully understood, pnpm might create files with + # inconsistent permissions, for example inside the ubuntu-24.04 + # github actions runner. + # To ensure stable derivations, we need to set permissions + # consistently, namely: + # * All files with `-exec` suffix have 555. + # * All other files have 444. + # * All folders have 555. + # See https://github.com/NixOS/nixpkgs/pull/350063 + # See https://github.com/NixOS/nixpkgs/issues/422889 + if [[ ${toString fetcherVersion} -ge 2 ]]; then + find $out -type f -name "*-exec" -print0 | xargs -0 chmod 555 + find $out -type f -not -name "*-exec" -print0 | xargs -0 chmod 444 + find $out -type d -print0 | xargs -0 chmod 555 + fi + runHook postFixup '';