Circleci local execute fails to checkout code when the local mounted directory has mode 0640

I’ve added a command “ls -al /tmp” just before checkout to the config at to try to debug this; it looks like /bin/bash: line 0: cd: /tmp/_circleci_local_build_repo: Permission denied is being given because the mount of the local source has the same permissions and UID/GID as the host filesystem, and because of that isn’t accessible to the circleci user inside the container.

Here’s a full transcript (including the ls-al just before checkout I mentioned above):

$ circleci config validate
Config file at .circleci/config.yml is valid.
$ circleci config process .circleci/config.yml > tmpconfig.yml
$ circleci local execute -c tmpconfig.yml --job build
Docker image digest: sha256:ee78b3e824f71fad3700d6a730c58bc932c346e316462840f3aa9f1f02e581ce
====>> Spin up Environment
Build-agent version 1.0.18722-521b85a4 (2019-11-09T09:05:04+0000)
Docker Engine Version: 19.03.5
Kernel Version: Linux 6d7a05398148 5.2.17-1rodete3-amd64 #1 SMP Debian 5.2.17-1rodete3 (2019-10-21 > 2018) x86_64 Linux
Starting container circleci/python:3.7
using image circleci/python@sha256:25142ff5f79d1a0af1322ac8958f1e396f1a6ef626fc9d09f094ac60df8c9fb9

Using build environment variables

====>> ls -al /tmp
#!/bin/bash -eo pipefail
ls -al /tmp
total 20
drwxrwxrwt 1 root root 4096 Jan 27 23:07 .
drwxr-xr-x 1 root root 4096 Jan 27 23:07 …
drwxr-x— 13 30669 5000 4096 Jan 26 04:26 _circleci_local_build_repo
-rw-r–r-- 1 circleci circleci 1 Jan 27 23:07
drwx------ 2 circleci circleci 4096 Jan 27 23:07 circleci-044741687
====>> Checkout code
#!/bin/bash -eo pipefail
mkdir -p /home/circleci/nsscache && cd /tmp/_circleci_local_build_repo && git ls-files | tar -T - -c | tar -x -C /home/circleci/nsscache && cp -a /tmp/_circleci_local_build_repo/.git /home/circleci/nsscache
/bin/bash: line 0: cd: /tmp/_circleci_local_build_repo: Permission denied
Error: Exited with code 1
Step failed

chmod -R o+r . addresses this, but it would be neat if the tool explained why it failed earlier and with a better error message.

Opening read to “other” might not be possible in some environments, so if the tool could handle this without changing permissions that would be really awesome.