refactor(cli): keep alteration scripts folder writable by gid 0 (#6328)

facilitates running in rootless container with r/w mounted alteration-scripts
directory (fixed #6327)

Dockerfile

@@ -40,6 +40,7 @@ RUN rm -rf .scripts pnpm-*.yaml packages/cloud
 FROM node:20-alpine as app
 WORKDIR /etc/logto
 COPY --from=builder /etc/logto .
+RUN mkdir -p /etc/logto/packages/cli/alteration-scripts && chmod g+w /etc/logto/packages/cli/alteration-scripts
 EXPOSE 3001
 ENTRYPOINT ["npm", "run"]
 CMD ["start"]

packages/cli/src/commands/database/alteration/utils.ts

@@ -44,8 +44,27 @@ export const getAlterationFiles = async (): Promise<AlterationFile[]> => {
   }
 
   // We need to copy alteration files to execute in the CLI context to make `slonik` available
-  await fs.rm(localAlterationDirectory, { force: true, recursive: true });
-  await fs.cp(alterationDirectory, localAlterationDirectory, { recursive: true });
+  // Notice that we don't remove the folder,
+  // this ensures that the writabiliy remains (and also allows this to be a separately-mounted directory.
+  if (!existsSync(localAlterationDirectory)) {
+    await fs.mkdir(localAlterationDirectory, { recursive: true });
+  }
+
+  const oldFiles = await fs.readdir(localAlterationDirectory);
+  await Promise.all(
+    oldFiles.map(async (file) =>
+      fs.rm(path.join(localAlterationDirectory, file), { force: true, recursive: true })
+    )
+  );
+  const newFiles = await fs.readdir(alterationDirectory);
+  await Promise.all(
+    newFiles.map(async (file) =>
+      fs.cp(path.join(alterationDirectory, file), path.join(localAlterationDirectory, file), {
+        recursive: true,
+        preserveTimestamps: true,
+      })
+    )
+  );
 
   const directory = await fs.readdir(localAlterationDirectory);
   const files = directory.filter((file) => alterationFilenameRegex.test(file));