core: ensure executable permissions are set before Docker builds

thdxr · thdxr · commit d1835686440d · 2026-04-18T22:32:53.000-04:00
Fixes an issue where GitHub artifact downloads could strip executable bits
from binaries, causing Docker builds to fail when using unpacked dist files
directly rather than published tarballs. The chmod now runs before the
publish check to guarantee binaries are executable.
diff --git a/packages/opencode/script/publish.ts b/packages/opencode/script/publish.ts
@@ -12,11 +12,13 @@ async function published(name: string, version: string) {
 }
 
 async function publish(dir: string, name: string, version: string) {
+  // GitHub artifact downloads can drop the executable bit, and Docker uses the
+  // unpacked dist binaries directly rather than the published tarball.
+  if (process.platform !== "win32") await $`chmod -R 755 .`.cwd(dir)
   if (await published(name, version)) {
     console.log(`already published ${name}@${version}`)
     return
   }
-  if (process.platform !== "win32") await $`chmod -R 755 .`.cwd(dir)
   await $`bun pm pack`.cwd(dir)
   await $`npm publish *.tgz --access public --tag ${Script.channel}`.cwd(dir)
 }

Original file line number	Diff line number	Diff line change
`@@ -12,11 +12,13 @@ async function published(name: string, version: string) {`
`12`	`12`	`}`
`13`	`13`
`14`	`14`	`async function publish(dir: string, name: string, version: string) {`
	`15`	`+ // GitHub artifact downloads can drop the executable bit, and Docker uses the`
	`16`	`+ // unpacked dist binaries directly rather than the published tarball.`
	`17`	+ if (process.platform !== "win32") await $`chmod -R 755 .`.cwd(dir)
`15`	`18`	`if (await published(name, version)) {`
`16`	`19`	console.log(`already published ${name}@${version}`)
`17`	`20`	`return`
`18`	`21`	`}`
`19`		- if (process.platform !== "win32") await $`chmod -R 755 .`.cwd(dir)
`20`	`22`	await $`bun pm pack`.cwd(dir)
`21`	`23`	await $`npm publish *.tgz --access public --tag ${Script.channel}`.cwd(dir)
`22`	`24`	`}`