From 7f37e11e5600e24cf1823c5b3fec9004dcdef1e5 Mon Sep 17 00:00:00 2001
From: "github-actions[bot]" <github-actions[bot]@users.noreply.github.com>
Date: Thu, 1 Jan 2026 20:08:57 +0000
Subject: [PATCH] Fix incorrect file permissions in add_command.go (Alert #386)
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Changed os.WriteFile permissions from 0644 to 0600 to follow security
best practices and principle of least privilege.

Addresses gosec G306 security alert.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>
---
 pkg/cli/add_command.go | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/pkg/cli/add_command.go b/pkg/cli/add_command.go
index 58a5176514..f47d71ff22 100644
--- a/pkg/cli/add_command.go
+++ b/pkg/cli/add_command.go
@@ -725,8 +725,8 @@ func addWorkflowWithTracking(workflow *WorkflowSpec, number int, verbose bool, e
 			}
 		}
 
-		// Write the file
-		if err := os.WriteFile(destFile, []byte(content), 0644); err != nil {
+		// Write the file with restrictive permissions (0600) to follow security best practices
+		if err := os.WriteFile(destFile, []byte(content), 0600); err != nil {
 			return fmt.Errorf("failed to write destination file '%s': %w", destFile, err)
 		}