diff --git a/server/legacy/core/runtime/show_step_runner.go b/server/legacy/core/runtime/show_step_runner.go
index 0f8e99406..f728487ca 100644
--- a/server/legacy/core/runtime/show_step_runner.go
+++ b/server/legacy/core/runtime/show_step_runner.go
@@ -53,7 +53,7 @@ func (p *ShowStepRunner) Run(ctx context.Context, prjCtx command.ProjectContext,
 		return output, errors.Wrap(err, "running terraform show")
 	}
 
-	if err := os.WriteFile(showResultFile, []byte(output), os.ModePerm); err != nil {
+	if err := os.WriteFile(showResultFile, []byte(output), 0600); err != nil {
 		return "", errors.Wrap(err, "writing terraform show result")
 	}
 
diff --git a/server/legacy/events/working_dir_iterator_test.go b/server/legacy/events/working_dir_iterator_test.go
index 84967152b..7fbfc42ba 100644
--- a/server/legacy/events/working_dir_iterator_test.go
+++ b/server/legacy/events/working_dir_iterator_test.go
@@ -72,7 +72,7 @@ func TestListCurrentWorkingDirPulls(t *testing.T) {
 
 		baseDir := t.TempDir()
 
-		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "1", "default"), os.ModePerm)
+		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "1", "default"), 0600)
 
 		pegomock.When(mockGHClient.GetPullRequestFromName("repo1", "nish", 1)).ThenReturn(expectedGithubPull, nil)
 		pegomock.When(mockEventParser.ParseGithubPull(expectedGithubPull)).ThenReturn(expectedInternalPull, models.Repo{}, models.Repo{}, nil)
@@ -112,8 +112,8 @@ func TestListCurrentWorkingDirPulls(t *testing.T) {
 
 		baseDir := t.TempDir()
 
-		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "1", "default"), os.ModePerm)
-		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "2", "default"), os.ModePerm)
+		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "1", "default"), 0600)
+		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "2", "default"), 0600)
 
 		pegomock.When(mockGHClient.GetPullRequestFromName("repo1", "nish", pullNum1)).ThenReturn(expectedGithubPull1, nil)
 		pegomock.When(mockGHClient.GetPullRequestFromName("repo1", "nish", pullNum2)).ThenReturn(expectedGithubPull2, nil)
@@ -156,8 +156,8 @@ func TestListCurrentWorkingDirPulls(t *testing.T) {
 
 		baseDir := t.TempDir()
 
-		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "1", "default"), os.ModePerm)
-		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo2", "2", "default"), os.ModePerm)
+		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo1", "1", "default"), 0600)
+		_ = os.MkdirAll(filepath.Join(baseDir, "repos", "nish", "repo2", "2", "default"), 0600)
 
 		pegomock.When(mockGHClient.GetPullRequestFromName("repo1", "nish", pullNum1)).ThenReturn(expectedGithubPull1, nil)
 		pegomock.When(mockGHClient.GetPullRequestFromName("repo2", "nish", pullNum2)).ThenReturn(expectedGithubPull2, nil)
diff --git a/server/neptune/workflows/activities/file/writer.go b/server/neptune/workflows/activities/file/writer.go
index 250785be7..04a187967 100644
--- a/server/neptune/workflows/activities/file/writer.go
+++ b/server/neptune/workflows/activities/file/writer.go
@@ -5,5 +5,5 @@ import "os"
 type Writer struct{}
 
 func (f *Writer) Write(name string, data []byte) error {
-	return os.WriteFile(name, data, os.ModePerm)
+	return os.WriteFile(name, data, 0600)
 }
diff --git a/server/neptune/workflows/activities/github/cli/credentials.go b/server/neptune/workflows/activities/github/cli/credentials.go
index ed2f63f56..f185f4967 100644
--- a/server/neptune/workflows/activities/github/cli/credentials.go
+++ b/server/neptune/workflows/activities/github/cli/credentials.go
@@ -110,7 +110,7 @@ func (c *Credentials) safeReadFile(file string) (string, error) {
 }
 
 func (c *Credentials) writeConfig(file string, contents []byte) error {
-	if err := c.safeWriteFile(file, contents, os.ModePerm); err != nil {
+	if err := c.safeWriteFile(file, contents, 0600); err != nil {
 		return err
 	}
 	if err := c.Git("config", "--global", "credential.helper", "store"); err != nil {
diff --git a/server/neptune/workflows/activities/github/cli/credentials_test.go b/server/neptune/workflows/activities/github/cli/credentials_test.go
index 6af8130ba..820410e5a 100644
--- a/server/neptune/workflows/activities/github/cli/credentials_test.go
+++ b/server/neptune/workflows/activities/github/cli/credentials_test.go
@@ -113,7 +113,7 @@ func TestRefresh(t *testing.T) {
 		credentialsFile := filepath.Join(dir, ".git-credentials")
 		oldContents := "https://x-access-token:123456@github.com"
 
-		err := os.WriteFile(credentialsFile, []byte(oldContents), os.ModePerm)
+		err := os.WriteFile(credentialsFile, []byte(oldContents), 0600)
 		assert.NoError(t, err)
 
 		capturedGitArgs := [][]string{}
@@ -159,7 +159,7 @@ func TestRefresh(t *testing.T) {
 		credentialsFile := filepath.Join(dir, ".git-credentials")
 		oldContents := "https://x-access-token:123456@github.com"
 
-		err := os.WriteFile(credentialsFile, []byte(oldContents), os.ModePerm)
+		err := os.WriteFile(credentialsFile, []byte(oldContents), 0600)
 		assert.NoError(t, err)
 
 		tc := &testInstallationTransport{
diff --git a/server/neptune/workflows/deploy_test.go b/server/neptune/workflows/deploy_test.go
index 933df53a5..4a01ff30a 100644
--- a/server/neptune/workflows/deploy_test.go
+++ b/server/neptune/workflows/deploy_test.go
@@ -129,7 +129,7 @@ func buildConfig(t *testing.T) config.Config {
 	dataDir := t.TempDir()
 
 	// storage client uses this for it's local backend.
-	err = os.Mkdir(filepath.Join(dataDir, "container"), os.ModePerm)
+	err = os.Mkdir(filepath.Join(dataDir, "container"), 0600)
 	assert.NoError(t, err)
 	conftestVersion, err := version.NewVersion("0.25.0")
 	assert.NoError(t, err)
@@ -238,13 +238,13 @@ var fileContents = ` resource "null_resource" "null" {}
 func GetLocalTestRoot(ctx context.Context, dst, src string) error {
 	// dst will be the repo path here but we also need to create the root itself
 	dst = filepath.Join(dst, "terraform", "mytestroot")
-	err := os.MkdirAll(dst, os.ModePerm)
+	err := os.MkdirAll(dst, 0600)
 
 	if err != nil {
 		return errors.Wrapf(err, "creating directory at %s", dst)
 	}
 
-	if err := os.WriteFile(filepath.Join(dst, "main.tf"), []byte(fileContents), os.ModePerm); err != nil {
+	if err := os.WriteFile(filepath.Join(dst, "main.tf"), []byte(fileContents), 0600); err != nil {
 		return errors.Wrapf(err, "writing file")
 	}