fix: restore ripgrep execute bits after bun install --production (#1163)

bun install --production strips execute bits from vendored binaries (bun bug). The Claude Agent SDK ships rg binaries in: node_modules/@anthropic-ai/claude-agent-sdk/vendor/ripgrep/ {x64,arm64}-{linux,darwin}/rg {x64,arm64}-win32/rg.exe After bun --production, all of these lose +x, causing EACCES when the SDK tries to spawn ripgrep. The fix is a targeted find(1) that restores +x on the rg binaries immediately after bun install. Design notes: - -type f excludes symlinks (symlink attack safety, no || true needed) - -name "rg" naturally excludes rg.exe on Windows (find returns nothing, chmod never called — safe and correct on all platforms) - .node audio-capture files use dlopen, not exec — no +x needed there - Fails loudly if the binary path is missing (no || true) so a SDK packaging change is immediately visible rather than silently broken Fixes #1140 Co-authored-by: Claude Sonnet 4.6 <noreply@anthropic.com>
2026-04-04 23:15:31 -04:00 · 2026-04-04 23:15:31 -04:00 · d5db8208f9
commit d5db8208f9
parent d8af4e9f01
1 changed files with 4 additions and 0 deletions
--- a/action.yml
+++ b/action.yml
@ -194,6 +194,10 @@ runs:
      run: |
        cd ${GITHUB_ACTION_PATH}
        bun install --production
+        # bun install --production strips execute bits from vendored binaries (bun issue #1140).
+        # Restore +x on the ripgrep binaries so the Claude Agent SDK can exec them.
+        find "${GITHUB_ACTION_PATH}/node_modules/@anthropic-ai/claude-agent-sdk/vendor/ripgrep" \
+          -name "rg" -type f -exec chmod +x {} \;

    - name: Install subprocess isolation dependencies
      # Install subprocess isolation dependencies when processing content from non-write users.