From f5b49efe42c0928dc292efe24946cccad86d711e Mon Sep 17 00:00:00 2001
From: Frantisek Sumsal <frantisek@sumsal.cz>
Date: Tue, 20 Jun 2023 16:25:07 +0200
Subject: [PATCH] ci: tweak build dir's ACL when collecting coverage

So gcov can create necessary directories/.gcda files even with dropped
privileges.
---
 .github/workflows/cibuild.sh | 14 ++++++++++++++
 1 file changed, 14 insertions(+)

diff --git a/.github/workflows/cibuild.sh b/.github/workflows/cibuild.sh
index 00fae0ab82..8adac1ab68 100755
--- a/.github/workflows/cibuild.sh
+++ b/.github/workflows/cibuild.sh
@@ -162,6 +162,20 @@ for phase in "${PHASES[@]}"; do
             fi
         fi
 
+        if [[ "$COVERAGE" == "yes" ]]; then
+            # Make (almost) everything under current directory readable/writable
+            # for everyone to allow gcov to write the .gcda files even with
+            # dropped privileges
+            find . tests/helpers/ -maxdepth 1 -type d ! -name . ! -name tests \
+                                  -exec setfacl -R -m 'd:g::rwX,d:o::rwX' -m 'g::rwX,o::rwX' '{}' \;
+            # Make sure we can access $PWD as an unpriv user
+            path="$PWD"
+            while [[ "$path" != / ]]; do
+                chmod o+rx "$path"
+                path="$(dirname "$path")"
+            done
+        fi
+
         ./tests/run.sh --show-diff
 
         if [[ "$COVERAGE" == "yes" ]]; then
-- 
2.47.2