gitlab-ci: Work around umask giving root-owned world-writable files
Explicitly call chmod
to work around the upstream GitLab issue
https://gitlab.com/gitlab-org/gitlab-runner/issues/1736
"File/directory creation umask when cloning is 0000
".
To work with Docker images that run with a specific non-root user, GitLab clones git repositories with umask set to 000: that is, to make non-root users from Docker be able to write in the repositories they are made world-writable.
This has nasty consequences with tools like Debos or the Docker image builders which copy files from the repository and trust the original permissions. In the case here, all the overlays resulted world-writable on the generated images, enabling trivial privilege escalations.
This commit should be reverted once the GitLab issue is fixed.
Ported from apertis-image-recipes@9fe735bb