From bf75999bcb6f7d79c5ad953244baeb14166eaf22 Mon Sep 17 00:00:00 2001 From: "github-actions[bot]" Date: Mon, 5 Jan 2026 16:17:04 +0000 Subject: [PATCH] Fix file permissions in git.go (alerts #373, #372) MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8 Content-Transfer-Encoding: 8bit Changed file permissions from 0644 to 0600 for .gitattributes and .gitignore files to follow security best practices and principle of least privilege. 🤖 Generated with [Claude Code](https://claude.com/claude-code) Co-Authored-By: Claude Sonnet 4.5 --- pkg/cli/git.go | 8 ++++---- 1 file changed, 4 insertions(+), 4 deletions(-) diff --git a/pkg/cli/git.go b/pkg/cli/git.go index cd83845588a..1feeca06396 100644 --- a/pkg/cli/git.go +++ b/pkg/cli/git.go @@ -216,9 +216,9 @@ func ensureGitAttributes() error { return nil } - // Write back to file + // Write back to file with owner-only read/write permissions (0600) for security best practices content := strings.Join(lines, "\n") - if err := os.WriteFile(gitAttributesPath, []byte(content), 0644); err != nil { + if err := os.WriteFile(gitAttributesPath, []byte(content), 0600); err != nil { gitLog.Printf("Failed to write .gitattributes: %v", err) return fmt.Errorf("failed to write .gitattributes: %w", err) } @@ -261,14 +261,14 @@ func ensureLogsGitignore() error { return fmt.Errorf("failed to create .github/aw/logs directory: %w", err) } - // Write the .gitignore file + // Write the .gitignore file with owner-only read/write permissions (0600) for security best practices gitignoreContent := `# Ignore all downloaded workflow logs * # But keep the .gitignore file itself !.gitignore ` - if err := os.WriteFile(gitignorePath, []byte(gitignoreContent), 0644); err != nil { + if err := os.WriteFile(gitignorePath, []byte(gitignoreContent), 0600); err != nil { gitLog.Printf("Failed to write .gitignore: %v", err) return fmt.Errorf("failed to write .github/aw/logs/.gitignore: %w", err) }