modify file permissions

javirln · javirln · commit 365f8f724572 · 2025-12-01T10:28:14.000+01:00
Signed-off-by: Javier Rodriguez &lt;javier@chainloop.dev&gt;
diff --git a/pkg/attestation/crafter/runners/tektonpipeline_test.go b/pkg/attestation/crafter/runners/tektonpipeline_test.go
@@ -70,7 +70,7 @@ tekton.dev/taskRunUID="xyz-789-uvw"
 tekton.dev/task="build-task"
 app.kubernetes.io/managed-by="tekton-pipelines"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	labels := s.runner.parseLabels()
@@ -87,7 +87,7 @@ tekton.dev/taskRun="my-taskrun-456"
 tekton.dev/taskRunUID="def-456-ghi"
 app.kubernetes.io/managed-by="tekton-pipelines"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	labels := s.runner.parseLabels()
@@ -110,7 +110,7 @@ func (s *tektonPipelineTestSuite) TestListEnvVars_WithLabels() {
 	labelsContent := `tekton.dev/pipelineRun="my-run"
 tekton.dev/taskRun="my-task-run"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	envVars := s.runner.ListEnvVars()
@@ -135,7 +135,7 @@ tekton.dev/pipelineRun="my-pipeline-run-123"
 tekton.dev/pipelineRunUID="abc-123-def"
 tekton.dev/taskRun="task-run-xyz"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	resolved, errors := s.runner.ResolveEnvVars()
@@ -160,15 +160,15 @@ func (s *tektonPipelineTestSuite) TestRunURI_PipelineRun() {
 	// Create labels and namespace files
 	labelsContent := `tekton.dev/pipelineRun="my-pipeline-run-123"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	// Mock namespace by creating service account namespace file
 	nsDir := filepath.Join(s.tmpDir, "run", "secrets", "kubernetes.io", "serviceaccount")
 	err = os.MkdirAll(nsDir, 0755)
 	assert.NoError(s.T(), err)
 	nsPath := filepath.Join(nsDir, "namespace")
-	err = os.WriteFile(nsPath, []byte("production"), 0644)
+	err = os.WriteFile(nsPath, []byte("production"), 0600)
 	assert.NoError(s.T(), err)
 
 	// Override the namespace path temporarily
@@ -186,7 +186,7 @@ func (s *tektonPipelineTestSuite) TestRunURI_TaskRun() {
 	// Create a labels file with TaskRun only (no PipelineRun)
 	labelsContent := `tekton.dev/taskRun="my-taskrun-456"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	labels := s.runner.parseLabels()
@@ -198,7 +198,7 @@ func (s *tektonPipelineTestSuite) TestRunURI_PipelineRunPriority() {
 	labelsContent := `tekton.dev/pipelineRun="pipeline-run-123"
 tekton.dev/taskRun="taskrun-456"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	labels := s.runner.parseLabels()
@@ -217,7 +217,7 @@ func (s *tektonPipelineTestSuite) TestRunURI_CustomDashboard() {
 	// Test custom dashboard URL via environment variable
 	labelsContent := `tekton.dev/pipelineRun="my-run"
 `
-	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0644)
+	err := os.WriteFile(s.runner.labelsPath, []byte(labelsContent), 0600)
 	assert.NoError(s.T(), err)
 
 	s.T().Setenv("TEKTON_DASHBOARD_URL", "https://tekton.example.com")
