From d5db8208f9147761c05b11340bed1e540b63f549 Mon Sep 17 00:00:00 2001 From: Max Flanagan Date: Sat, 4 Apr 2026 23:15:31 -0400 Subject: [PATCH] fix: restore ripgrep execute bits after bun install --production (#1163) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit bun install --production strips execute bits from vendored binaries (bun bug). The Claude Agent SDK ships rg binaries in: node_modules/@anthropic-ai/claude-agent-sdk/vendor/ripgrep/ {x64,arm64}-{linux,darwin}/rg {x64,arm64}-win32/rg.exe After bun --production, all of these lose +x, causing EACCES when the SDK tries to spawn ripgrep. The fix is a targeted find(1) that restores +x on the rg binaries immediately after bun install. Design notes: - -type f excludes symlinks (symlink attack safety, no || true needed) - -name "rg" naturally excludes rg.exe on Windows (find returns nothing, chmod never called — safe and correct on all platforms) - .node audio-capture files use dlopen, not exec — no +x needed there - Fails loudly if the binary path is missing (no || true) so a SDK packaging change is immediately visible rather than silently broken Fixes #1140 Co-authored-by: Claude Sonnet 4.6 --- action.yml | 4 ++++ 1 file changed, 4 insertions(+) diff --git a/action.yml b/action.yml index 244f8fb..0bbe537 100644 --- a/action.yml +++ b/action.yml @@ -194,6 +194,10 @@ runs: run: | cd ${GITHUB_ACTION_PATH} bun install --production + # bun install --production strips execute bits from vendored binaries (bun issue #1140). + # Restore +x on the ripgrep binaries so the Claude Agent SDK can exec them. + find "${GITHUB_ACTION_PATH}/node_modules/@anthropic-ai/claude-agent-sdk/vendor/ripgrep" \ + -name "rg" -type f -exec chmod +x {} \; - name: Install subprocess isolation dependencies # Install subprocess isolation dependencies when processing content from non-write users.