fs: default writeSecureFile to 0600 (owner-only) #154

1seal · 2026-02-02T14:17:43Z

summary
writeSecureFile currently defaults to 0o640, which makes created files group-readable. since this helper is used to write credential material (directly or via downstream actions), this changes the default to 0o600 while keeping the ability for callers to override mode explicitly.

changes

update writeSecureFile default mode to 0o600
update unit tests to assert the new default and keep coverage for custom mode
update generated docs/dist outputs accordingly

compatibility
this is a behavior change for callers that relied on the previous default group-readable permissions. those callers can restore the old behavior by passing mode: 0o640 explicitly.

testing

npm test
npm run lint\n\ncloses writeSecureFile defaults to group-readable mode (0640) #153

change writeSecureFile default mode from 0640 to 0600 (owner-only) and update tests/docs. callers can still override mode explicitly.

fs: default writeSecureFile to 0600

17ffc9d

change writeSecureFile default mode from 0640 to 0600 (owner-only) and update tests/docs. callers can still override mode explicitly.

1seal requested a review from a team as a code owner February 2, 2026 14:17

1seal requested review from R2wenD2 and haroonc February 2, 2026 14:17

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

fs: default writeSecureFile to 0600 (owner-only) #154

fs: default writeSecureFile to 0600 (owner-only) #154

Uh oh!

1seal commented Feb 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant

fs: default writeSecureFile to 0600 (owner-only) #154

Are you sure you want to change the base?

fs: default writeSecureFile to 0600 (owner-only) #154

Uh oh!

Conversation

1seal commented Feb 2, 2026

Uh oh!

Reviewers

Assignees

Labels

Milestone

Development

Uh oh!

1 participant