From 516b97dad5b6cc5d614ab3add848ccffde761f71 Mon Sep 17 00:00:00 2001
From: theaussiepom <theaussiepom@users.noreply.github.com>
Date: Mon, 22 Dec 2025 22:58:07 +0000
Subject: [PATCH] docs: create config.env with secure perms

---
 README.md | 6 +++++-
 1 file changed, 5 insertions(+), 1 deletion(-)

diff --git a/README.md b/README.md
index c598bc4..f393fae 100644
--- a/README.md
+++ b/README.md
@@ -35,7 +35,10 @@ sudo apt-get install -y --no-install-recommends ca-certificates curl git
 1. Create `/etc/runner/config.env` using values from GitHub’s “New self-hosted runner” page:
 
 ```bash
-sudo mkdir -p /etc/runner
+sudo install -d -m 0755 /etc/runner
+
+# This file contains a short-lived registration token; keep it root-readable only.
+sudo install -m 0600 /dev/null /etc/runner/config.env
 sudo tee /etc/runner/config.env >/dev/null <<'EOF'
 # Optional: actions runner version to install.
 # Default: 2.330.0 (may not be the latest).
@@ -190,6 +193,7 @@ sudo apt-get install -y --no-install-recommends ca-certificates curl git
 sudo mkdir -p /etc/runner
 sudo cp /path/to/runner/examples/config.env.example /etc/runner/config.env
 sudo nano /etc/runner/config.env
+sudo chmod 600 /etc/runner/config.env
 ```
 
 1. Clone the repo and run the installer as root: