release tarball has user:group file ownership

[AdamMajer]

Steps to reproduce

1. Get tarball of release
2. tar zvft tarball.here
3. see

-rw-r--r-- runner/docker    6912 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Caligraphic-Bold.a1abf90.woff2
-rw-r--r-- runner/docker    6496 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Size1-Regular.0108e89.woff
-rw-r--r-- runner/docker   63632 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_AMS-Regular.853be92.ttf
-rw-r--r-- runner/docker   12228 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Size1-Regular.6de7d4b.ttf
-rw-r--r-- runner/docker    5208 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Size2-Regular.2960900.woff2
-rw-r--r-- runner/docker   33580 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Main-Italic.fa675e5.ttf
-rw-r--r-- runner/docker    5468 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Size1-Regular.6eec866.woff2
-rw-r--r-- runner/docker   31308 2024-08-06 10:34 element-v1.11.73/fonts/KaTeX/KaTeX_Math-Italic.8a5f936.ttf

Outcome

The user/group should be root/root (0:0)

Operating system

No response

Browser information

No response

URL for webapp

No response

Application version

No response

Homeserver

No response

Will you send logs?

No

[t3chguy]

The tarball is generated by git archive - I don't see a way of specifying the permissions other than a umask. https://git-scm.com/docs/git-archive https://github.com/matrix-org/matrix-js-sdk/blob/develop/.github/actions/sign-release-tarball/action.yml#L16

[AdamMajer]

This is strange, because git-archive sets uid/gid to 0:0 root/root. It's hardcoded.

https://lore.kernel.org/git/cef51cd3-c6b5-ed24-f695-83be3a6743b4@web.de/#t

sources:
https://github.com/git/git/blob/master/archive-tar.c#L231

Are you certain this is what happens in case of element-web?

[t3chguy]

Are you certain this is what happens in case of element-web?

Yes.

https://github.com/element-hq/element-web/blob/develop/.github/workflows/release.yml#L15-L25
https://github.com/matrix-org/matrix-js-sdk/blob/develop/.github/workflows/release-make.yml#L188-L193

You can see the run here https://github.com/element-hq/element-web/actions/runs/10264871768/job/28399840479

The only thing we override is the gzip command as shown in the workflow I linked you to originally

[AdamMajer]

Aha! So we are talking about different things :-)

https://github.com/element-hq/element-web/archive/refs/tags/v1.11.74-rc.0.tar.gz -- this one is the git archive generated tarball. It's OK.

https://github.com/element-hq/element-web/releases/download/v1.11.74-rc.0/element-v1.11.74-rc.0.tar.gz -- this is the pre-compiled release tarball that has non-root uid/gid.

[t3chguy]

Good spot, then instead the tarball is made in https://github.com/element-hq/element-web/blob/develop/scripts/package.sh#L26