Make promoted files read-only

MisterDA · MisterDA · commit c2a4aac004b7 · 2025-10-04T12:50:51.000+02:00
Signed-off-by: Antonin Décimo &lt;antonin@tarides.com&gt;
diff --git a/bin/subst.ml b/bin/subst.ml
@@ -153,7 +153,15 @@ let subst_file path ~map opam_package_files =
       | None, Some x -> Some x
       | Some x, Some y -> Some (x ^ "\n" ^ y)
     in
-    Option.iter contents ~f:(Io.write_file path)
+    (match contents with
+     | None -> ()
+     | Some contents ->
+       (try Io.write_file path contents with
+        | Unix.Unix_error (Unix.EACCES, _, _) ->
+          let Unix.{ st_perm; _ } = Path.stat_exn path in
+          Path.chmod path ~mode:(Path.Permissions.add Path.Permissions.write st_perm);
+          Io.write_file path contents;
+          Path.chmod path ~mode:st_perm))
 ;;
 
 (* Extending the Dune_project APIs, but adding capability to modify *)
diff --git a/doc/changes/12519.md b/doc/changes/12519.md
@@ -0,0 +1 @@
+- Make promoted files read-only. (#12519, #12465, @MisterDA)
diff --git a/src/dune_engine/target_promotion.ml b/src/dune_engine/target_promotion.ml
@@ -82,9 +82,10 @@ let promote_target_if_not_up_to_date
         ];
       if promote_until_clean then To_delete.add dst;
       (* The file in the build directory might be read-only if it comes from the
-         shared cache. However, we want the file in the source tree to be
-         writable by the user, so we explicitly set the user writable bit. *)
-      let chmod = Path.Permissions.add Path.Permissions.write in
+         shared cache. We don't want the file in the source tree to be writable
+         by the user, since a new promotion will overwrite it, so we explicitly
+         remove the write permission. *)
+      let chmod = Path.Permissions.remove Path.Permissions.write in
       let+ () = promote_source ~chmod ~delete_dst_if_it_is_a_directory:true ~src ~dst in
       true
   in
diff --git a/test/blackbox-tests/test-cases/dune-cache/promotion-in-source-tree.t b/test/blackbox-tests/test-cases/dune-cache/promotion-in-source-tree.t
@@ -20,9 +20,9 @@ Reproduction case for #3026
 Run Dune a first time to fill the cache, then delete the promoted file and run
 Dune again. At the end of the first run, the file [_build/default/file] should
 get deduplicated and so become read-only. As a result, on the second run the
-promoted file will be copied from a read-only file. However, we still want the
-user to be able to edit this file given that it is in the source tree, so Dune
-should change the permission of this file.
+promoted file will be copied from a read-only file. We don't want the user to be
+able to edit this file even if it is in the source tree, as Dune will always
+overwrite it, so Dune should ensure the file isn't writable.
 
 We check that Dune does change the permission by echoing something into the file
 after the second run.
@@ -40,4 +40,5 @@ after the second run.
   $ cat file
   Hello, world!
 
-  $ echo plop > file
+  $ dune_cmd stat permissions file
+  444
diff --git a/test/blackbox-tests/test-cases/ignore-promoted-rules-internal-rules.t b/test/blackbox-tests/test-cases/ignore-promoted-rules-internal-rules.t
@@ -11,6 +11,9 @@ Reported in #8417
   > EOF
 
   $ dune build foo.opam
+  $ dune_cmd stat permissions foo.opam
+  444
+  $ chmod +w foo.opam
   $ echo foobar_extra >> foo.opam
   $ grep foobar_extra foo.opam
   foobar_extra
diff --git a/test/blackbox-tests/test-cases/promote/old-tests.t/run.t b/test/blackbox-tests/test-cases/promote/old-tests.t/run.t
@@ -125,6 +125,9 @@ Dune restores only1 if it's modified in the source tree
 
   $ cat only1
   0
+  $ dune_cmd stat permissions only1
+  444
+  $ chmod +w only1
   $ echo 1 > only1
   $ dune build only2
   $ cat only1
diff --git a/test/blackbox-tests/test-cases/promote/promote-only-when-needed.t b/test/blackbox-tests/test-cases/promote/promote-only-when-needed.t
@@ -22,6 +22,9 @@ Dune doesn't promote the file again if it's unchanged.
 
 Dune does promotes the file again if it's changed.
 
+  $ dune_cmd stat permissions promoted
+  444
+  $ chmod +w promoted
   $ echo hi > promoted
   $ dune build promoted --verbose 2>&1 | grep "Promoting"
   Promoting "_build/default/promoted" to "promoted"
diff --git a/test/blackbox-tests/test-cases/watching/dir-target-promotion.t b/test/blackbox-tests/test-cases/watching/dir-target-promotion.t
@@ -50,6 +50,9 @@ Remove a directory and rebuild.
 
 Modify a file and rebuild.
 
+  $ dune_cmd stat permissions d1/b
+  444
+  $ chmod +w d1/b
   $ echo -n "*" > d1/b
   $ cat d1/a d1/b d1/d2/c
   +*+
diff --git a/test/blackbox-tests/test-cases/watching/target-promotion.t b/test/blackbox-tests/test-cases/watching/target-promotion.t
@@ -50,6 +50,9 @@ Now try deleting the promoted file.
 
 Now try replacing its content.
 
+  $ dune_cmd stat permissions promoted
+  444
+  $ chmod +w promoted
   $ echo hi > promoted
   $ build result
   Success

Original file line number	Diff line number	Diff line change
`@@ -0,0 +1 @@`
	`1`	`+- Make promoted files read-only. (#12519, #12465, @MisterDA)`
Original file line number	Diff line number	Diff line change
`@@ -125,6 +125,9 @@ Dune restores only1 if it's modified in the source tree`
`125`	`125`
`126`	`126`	`$ cat only1`
`127`	`127`	`0`
	`128`	`+ $ dune_cmd stat permissions only1`
	`129`	`+ 444`
	`130`	`+ $ chmod +w only1`
`128`	`131`	`$ echo 1 > only1`
`129`	`132`	`$ dune build only2`
`130`	`133`	`$ cat only1`