writeSecureFile defaults to group-readable mode (0640)

[1seal]

summary
writeSecureFile in @google-github-actions/actions-utils currently defaults to mode: 0o640 (group-readable). the function is commonly used to write credential material (for example by google-github-actions/auth), so the safer default is owner-only (0o600) while still allowing callers to opt into broader permissions explicitly.

why this matters
on self-hosted runners and other shared hosts, group membership and shared filesystems are common. when a credential file is created with group-read permissions, another process/user in the same group can read the credential material.

proposed change

• change the default mode in writeSecureFile from 0o640 to 0o600
• keep options.mode override behavior unchanged

notes

• this is a secure-by-default hardening change; callers that want group-readable files can continue to pass a custom mode.