From 2dbd35cbdf0575d876987c5e287fed72ab1691e7 Mon Sep 17 00:00:00 2001
From: David Gamero <david340804@gmail.com>
Date: Thu, 4 Jun 2026 19:37:03 -0400
Subject: [PATCH] fix: set kubeconfig file permissions to 600 after creation
 (#252)

Kubeconfig created by az connectedk8s proxy inherits default permissions, leaving cluster credentials readable by other processes on the runner.
---
 src/kubeconfigs/azCommands.ts | 1 +
 1 file changed, 1 insertion(+)

diff --git a/src/kubeconfigs/azCommands.ts b/src/kubeconfigs/azCommands.ts
index 3e2cf92..6bbeed6 100644
--- a/src/kubeconfigs/azCommands.ts
+++ b/src/kubeconfigs/azCommands.ts
@@ -36,6 +36,7 @@ export async function runAzKubeconfigCommandBlocking(
    proc.unref()
 
    await sleep(AZ_TIMEOUT_SECONDS)
+   fs.chmodSync(kubeconfigPath, 0o600)
    return fs.readFileSync(kubeconfigPath).toString()
 }