Remote git fetch sometimes fail

[ctmbl]

a script remote_git_pull.sh has been introduced by #55 , it aims to update the state of the local git copy on the remote server from where we deploy the website. This PR also reworks the use and names of secrets in the deployment workflow, which needed some rework for sure!

However sometimes this script fails, due to permissions or owning problems on the remote server, and is therefore really server-state dependant.
The change is recent I expect that this script will fail again in the future but I hope that less and less as the change grows old

• fail on manual trigger
• success on a later manual trigger

A possible patch would be to overwrite the return code of the command and instead just emit a GitHub Action warning
something like:

ssh ${{ secrets.CI_USER_NAME }}@iscsc.fr /usr/bin/bash ${{ secrets.REPO_PATH_ON_REMOTE }}/scripts/remote_git_pull.sh ${{ secrets.REPO_PATH_ON_REMOTE }} || echo "::warning file=remote_git_pull.sh ::Remote git pull failed, you should investigate manually"

But I don't want to patch it right now, this is the kind of bug due to permission and environment, I prefer to get a bit more of information and experience before patching it

[ctmbl]

on next action it seemed to work fine, maybe the time that all files in .git get converted to the right owner/perms
https://github.com/iScsc/blog.iscsc.fr/actions/runs/9285642478/job/25550640703
so I'll let this open and idle for a while and then close it if no other errors show up

[ctmbl]

Issue identification

the problem is that newly created (or updated by fetching and rebasing) files and directories are created without the group write bit.

on the server:

$ git show --compact-summary
commit 5e394324f35f71bb3b3a40f5216f75766ada44a8 (HEAD -> main)
Author: ClementMabileau <[email protected]>
Date:   Tue Sep 17 09:15:21 2024 +0200

    Add an Events page (#81)
...
 src/assets/css/custom.css                   |  11 ++++++++++
 src/config.toml                             |   1 +
$ ll src/
total 28K
drwxrwsr-x 3 ci-deployment maintainers 4.0K Sep  1 12:23 assets
-rw-r--r-- 1 ci-deployment maintainers 5.6K Sep 17 07:39 config.toml
...
$ ll src/assets/css/
-rw-r--r-- 1 ci-deployment maintainers 1.2K Sep 17 07:39 custom.css

due to the value of umask:

$ umask
0022

so when other users than the CI one fetch or change files they own the file, and the CI can no longer change this file

Solution

the solution:

• change the umask value to 0002 so that files are created WITH the group write bit, tks to the setgid bit and the maintainer bit, all users of the maintainer group will be able to modify the files
• no user other than the CI must change the files in the repo on the server

sources:

• https://www.howtogeek.com/812961/umask-linux/#short-term-changes-to-umask
• https://unix.stackexchange.com/questions/524738/why-choose-a-umask-of-002-over-022
• https://unix.stackexchange.com/questions/315121/why-is-the-default-umask-002-or-022-in-many-unix-systems-seems-insecure-by-defa