This was first noticed yesterday where a commit to integration/jenkins.git (deployed as /srv/deployment/integration/slave-scripts on the integration slaves in labs) caused the modified files to become root read-only after the next puppet run.
@bd808 and myself spent some time debugging this but concluded that the existing puppet manifests didn't appear to contain any code that would cause this.
Relevant puppet manifests:
I confirmed it to be deterministic, when debugging on one of the slaves, by running git reset --hard HEAD^ and fixing permissions on the existing files. After we ran the puppet agent again, we observed the same issue happening again. The modified files since the previous commit were now all formatted as -rwx------ 1 root root.
In attempt to confirm there wasn't any preexisting state with sticky bits or umasks, I depoled one of the slaves, rm -rf'ed the slave-scripts checkout and had puppet re-create it. It looked okay at first. The files were properly readable by the Jenkins user and other users.
However after making another commit (e.g. I4d94af4673), the same issue happened again:
integration-slave1007:
$ ll /srv/deployment/integration/slave-scripts/bin -rwxr-xr-x 1 root root 1.1K Jan 28 23:21 mw-run-update-script.sh* -rwxr-xr-x 1 root root 682 Jan 28 23:21 mw-send-to-coveralls.sh* -rwx------ 1 root root 158 Jan 29 02:39 mw-set-env-qunit.sh* <-- -rwxr-xr-x 1 root root 1.1K Jan 28 23:21 mw-set-env.sh*