settings.php permissions

[loopy3025]

Describe the bug
On composer install, drupal-recommended-settings runs /home/ide/project/vendor/bin/drush drs:init:settings. When it does this, permissions on settings.php change from 644 to 755.

To Reproduce

chmod 644 docroot/sites/default/settings.php
rm -rf vendor
git checkout composer.lock
composer install

Expected behavior
Permissions on settings.php should be 644 on a drupal website.

Environment
Happening both locally and during pipelines ci, so ci fails on a check dirty.

Additional context
I have tried adding the file to file-mapping in composer, but that also doesn't work. The chmod still happens.

"extra": {
        "drupal-scaffold": {
            "locations": {
                "web-root": "./docroot"
            },
            "file-mapping": {
                "[web-root]/sites/default/settings.php": false
            }
        },
}

Although I really don't want to do this anyways because it wouldn't capture future patches to settings.php.

For now I will add a hook that re-chmods the file but this is weird.

[loopy3025]

I am wondering if this is an intentional aspect of drupal-recommended-settings and I should just let it happen.

I have noticed, when ssh into these sites, that some seem to have changed the permissions to -r--r--r--. On the site I am currently working on, the settings.php file has not been included in the deployment artefact at all. This is most perplexing.

[loopy3025]

I've gone and added settings.php to the gitignore then added git add -f docroot/sites/default/settings.php to the build artefact step in pipelines. I am 99% sure the file is being added during composer install. The file is still not in the build artefact. I am really not sure what's going on here.

[loopy3025]

Pipelines is definitely adding the file to the commit. It just isn't making it to the build artefact itslef somehow.

[loopy3025]

As it turns out, the missing settings file is an issue with Acquia's ODE environments.

However, I still think it's weird that the settings.php file gets chmod to 777 during composer install.

[loopy3025]

We have decided to add the docroot/sites/default/settings.php to our gitignore file and just let drupal-recommended-settings do whatever it wants there. The file does get committed to the build artefact without the need to add -f to the git add command.

[iamsophiesk]

Found this too - we have a multisite installation so it's only adding the sites/default/settings.php file, not the multisites' settings files.

We have the file committed into the repo as it's got DDEV config require in it, as well as some basic setup for devs who forget to set up their local config, so it's not really feasible to add it to the gitignore.

Yes, the permissions for the file on the Acquia server get changed to -r--r--r--/0444 but they shouldn't be -rwxr-xr-x/0755 during builds.