@@ -152,11 +152,11 @@ describe("tool.write", () => {
152152 } )
153153
154154 describe ( "file permissions" , ( ) => {
155- test ( "sets file permissions when writing sensitive data" , async ( ) => {
155+ async function writeAndCheckMode ( umask : number , expected : number ) {
156156 await using tmp = await tmpdir ( )
157157 const filepath = path . join ( tmp . path , "sensitive.json" )
158158
159- const prevUmask = process . umask ( 0o022 )
159+ const prevUmask = process . umask ( umask )
160160 try {
161161 await Instance . provide ( {
162162 directory : tmp . path ,
@@ -173,14 +173,18 @@ describe("tool.write", () => {
173173 // On Unix systems, check permissions
174174 if ( process . platform !== "win32" ) {
175175 const stats = await fs . stat ( filepath )
176- expect ( stats . mode & 0o777 ) . toBe ( 0o644 )
176+ expect ( stats . mode & 0o777 ) . toBe ( expected )
177177 }
178178 } ,
179179 } )
180180 } finally {
181181 process . umask ( prevUmask )
182182 }
183- } )
183+ }
184+
185+ test ( "base mode is 0o644 before umask masking" , ( ) => writeAndCheckMode ( 0o000 , 0o644 ) )
186+ test ( "respects umask 0o022 → 0o644" , ( ) => writeAndCheckMode ( 0o022 , 0o644 ) )
187+ test ( "respects umask 0o077 → 0o600" , ( ) => writeAndCheckMode ( 0o077 , 0o600 ) )
184188 } )
185189
186190 describe ( "content types" , ( ) => {
0 commit comments