Fix chmod race condition when generating key

Encrypted keys were updated [previously][1] to restrict other users from
reading the file by default. However, there is a brief period of time
between an encrypted key being created and its permissions being set to
0600. This means that it is possible for another user to read that file
during that time.

This commit fixes that issue by setting the desired permissions when the
file is created. The ability to use the `perm` option was added in Thor
1.2.2 so the minimum version was updated in the Railties gemspec.

[1]: 4c6c357

Author: skipkayhil

Gemfile.lock

@@ -106,7 +106,7 @@ PATH
       irb
       rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
+      thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
 
 GEM
@@ -517,7 +517,7 @@ GEM
       railties (>= 6.0.0)
     terser (1.1.13)
       execjs (>= 0.3.0, < 3)
-    thor (1.2.1)
+    thor (1.2.2)
     tilt (2.0.11)
     timeout (0.3.2)
     tomlrb (2.0.3)

railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb

@@ -26,8 +26,7 @@ def add_key_file(key_path)
       end
 
       def add_key_file_silently(key_path, key = nil)
-        create_file key_path, key || ActiveSupport::EncryptedFile.generate_key
-        key_path.chmod 0600
+        create_file key_path, key || ActiveSupport::EncryptedFile.generate_key, perm: 0600
       end
 
       def ignore_key_file(key_path, ignore: key_ignore(key_path))

railties/railties.gemspec

@@ -42,7 +42,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency "rackup", ">= 1.0.0"
   s.add_dependency "rake", ">= 12.2"
-  s.add_dependency "thor", "~> 1.0"
+  s.add_dependency "thor", "~> 1.0", ">= 1.2.2"
   s.add_dependency "zeitwerk", "~> 2.6"
   s.add_dependency "irb"