3 files changed, 3 insertions, 4 deletions

diff --git a/config/initializers/secret_token.rb b/config/initializers/secret_token.rb
index 7ebae44..32883cf 100644
--- a/config/initializers/secret_token.rb
+++ b/config/initializers/secret_token.rb
@@ -36,7 +36,7 @@ if GitlabCi::Application.secrets.secret_key_base.blank? || GitlabCi::Application
   all_secrets[Rails.env] = env_secrets
 
   # save secrets
-  File.open('config/secrets.yml', 'w') do |file|
+  File.open('config/secrets.yml', 'w', 0600) do |file|
     file.write(YAML.dump(all_secrets))
   end
 
diff --git a/doc/install/installation.md b/doc/install/installation.md
index 9f476b6..8cbc858 100644
--- a/doc/install/installation.md
+++ b/doc/install/installation.md
@@ -121,6 +121,7 @@ We recommend PostgreSQL but you can also use MySQL
 
     # Copy the example secrets file
     sudo -u gitlab_ci -H cp config/secrets.yml.example config/secrets.yml
+    sudo -u gitlab_ci -H chmod 0600 config/secrets.yml
 
     # Edit web server settings
     sudo -u gitlab_ci -H cp config/unicorn.rb.example config/unicorn.rb
@@ -135,9 +136,6 @@ We recommend PostgreSQL but you can also use MySQL
     # Change the permissions of the directory where build traces are stored
     sudo chmod -R u+rwX builds/
 
-    # Make sure GitLab CI can write to the builds/ directory
-    sudo chmod -R u+rwX  builds
-
 ### Install gems
 
     # For MySQL (note, the option says "without ... postgres")
diff --git a/doc/update/7.12-to-7.13.md b/doc/update/7.12-to-7.13.md
index 7fc85f6..2877c29 100644
--- a/doc/update/7.12-to-7.13.md
+++ b/doc/update/7.12-to-7.13.md
@@ -37,6 +37,7 @@ otherwise your secrets are exposed if one of your backups is compromised.
 
 ```
 sudo -u gitlab_ci -H cp config/secrets.yml.example config/secrets.yml
+sudo -u gitlab_ci -H chmod 0600 config/secrets.yml
 ```
 
 ### 5. Install libs, migrations etc