From 69214f9d74fea2fd41b0d5ca2f5222dd5ba34fd4 Mon Sep 17 00:00:00 2001
From: David Gamero <david340804@gmail.com>
Date: Thu, 4 Jun 2026 19:25:36 -0400
Subject: [PATCH] fix: use chmod 755 instead of 777 for downloaded helm binary
 and folder (#278)

World-writable permissions allow other processes on shared runners to replace the helm binary or inject files between download and execution.

Ultraworked with [Sisyphus](https://github.com/code-yeongyu/oh-my-openagent)

Co-authored-by: Sisyphus <clio-agent@sisyphuslabs.ai>
---
 src/run.test.ts | 8 ++++----
 src/run.ts      | 6 +++---
 2 files changed, 7 insertions(+), 7 deletions(-)

diff --git a/src/run.test.ts b/src/run.test.ts
index f4a4b51..01f2fd0 100644
--- a/src/run.test.ts
+++ b/src/run.test.ts
@@ -288,11 +288,11 @@ describe('run.ts', () => {
       expect(toolCache.downloadTool).toHaveBeenCalledWith(
          'https://test.tld/helm-v4.0.0-windows-amd64.zip'
       )
-      expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '777')
+      expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '755')
       expect(toolCache.extractZip).toHaveBeenCalledWith('pathToTool')
       expect(fs.chmodSync).toHaveBeenCalledWith(
          path.join('pathToCachedDir', 'helm.exe'),
-         '777'
+         '755'
       )
    })
 
@@ -335,7 +335,7 @@ describe('run.ts', () => {
       expect(toolCache.find).toHaveBeenCalledWith('helm', 'v3.2.1')
       expect(fs.chmodSync).toHaveBeenCalledWith(
          path.join('pathToCachedDir', 'helm.exe'),
-         '777'
+         '755'
       )
    })
 
@@ -362,7 +362,7 @@ describe('run.ts', () => {
       expect(toolCache.downloadTool).toHaveBeenCalledWith(
          'https://test.tld/helm-v3.2.1-windows-amd64.zip'
       )
-      expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '777')
+      expect(fs.chmodSync).toHaveBeenCalledWith('pathToTool', '755')
       expect(toolCache.extractZip).toHaveBeenCalledWith('pathToTool')
    })
 })
diff --git a/src/run.ts b/src/run.ts
index 1303a16..9554797 100644
--- a/src/run.ts
+++ b/src/run.ts
@@ -105,7 +105,7 @@ export async function downloadHelm(
          )
       }
 
-      fs.chmodSync(helmDownloadPath, '777')
+      fs.chmodSync(helmDownloadPath, '755')
       const extractedPath =
          getPlatform() === 'windows'
             ? await toolCache.extractZip(helmDownloadPath)
@@ -125,12 +125,12 @@ export async function downloadHelm(
       )
    }
 
-   fs.chmodSync(helmpath, '777')
+   fs.chmodSync(helmpath, '755')
    return helmpath
 }
 
 export function findHelm(rootFolder: string): string {
-   fs.chmodSync(rootFolder, '777')
+   fs.chmodSync(rootFolder, '755')
    let filelist: string[] = []
    walkSync(rootFolder, filelist, helmToolName + getExecutableExtension())
    if (!filelist || filelist.length == 0) {