In a previous commit, we made incremental graph layers read-only by
using 'git_mkstemp_mode' with permissions '0444'.
There is no reason that 'commit-graph-chain's should be modifiable by
the user, since they are generated at a temporary location and then
atomically renamed into place.
To ensure that these files are read-only, too, use
'hold_lock_file_for_update_mode' with the same read-only permission
bits, and let the umask and 'adjust_shared_perm' take care of the rest.
Signed-off-by: Taylor Blau <me@xxxxxxxxxxxx>
---
commit-graph.c | 3 ++-
t/t5324-split-commit-graph.sh | 2 ++
2 files changed, 4 insertions(+), 1 deletion(-)
diff --git a/commit-graph.c b/commit-graph.c
index d05a55901d..b2dfd7701f 100644
--- a/commit-graph.c
+++ b/commit-graph.c
@@ -1378,7 +1378,8 @@ static int write_commit_graph_file(struct write_commit_graph_context *ctx)
if (ctx->split) {
char *lock_name = get_chain_filename(ctx->odb);
- hold_lock_file_for_update(&lk, lock_name, LOCK_DIE_ON_ERROR);
+ hold_lock_file_for_update_mode(&lk, lock_name,
+ LOCK_DIE_ON_ERROR, 0444);
fd = git_mkstemp_mode(ctx->graph_name, 0444);
if (fd < 0) {
diff --git a/t/t5324-split-commit-graph.sh b/t/t5324-split-commit-graph.sh
index 699c23d077..cff5a41f48 100755
--- a/t/t5324-split-commit-graph.sh
+++ b/t/t5324-split-commit-graph.sh
@@ -366,6 +366,8 @@ do
test_line_count = 1 graph-files &&
echo "$modebits" >expect &&
test_modebits $graphdir/graph-*.graph >actual &&
+ test_cmp expect actual &&
+ test_modebits $graphdir/commit-graph-chain >actual &&
test_cmp expect actual
'
done <<\EOF
--
2.26.0.113.ge9739cdccc
