Fix chmod race condition when generating key

Encrypted keys were updated [previously][1] to restrict other users from
reading the file by default. However, there is a brief period of time
between an encrypted key being created and its permissions being set to
0600. This means that it is possible for another user to read that file
during that time.

This commit fixes that issue by setting the desired permissions when the
file is created. The ability to use the `perm` option was added in Thor
1.2.2 so the minimum version was updated in the Railties gemspec.

[1]: 4c6c3575c6

Gemfile.lock

@@ -106,7 +106,7 @@ PATH
       irb
       rackup (>= 1.0.0)
       rake (>= 12.2)
-      thor (~> 1.0)
+      thor (~> 1.0, >= 1.2.2)
       zeitwerk (~> 2.6)
 
 GEM
@@ -517,7 +517,7 @@ GEM
       railties (>= 6.0.0)
     terser (1.1.13)
       execjs (>= 0.3.0, < 3)
-    thor (1.2.1)
+    thor (1.2.2)
     tilt (2.0.11)
     timeout (0.3.2)
     tomlrb (2.0.3)

railties/lib/rails/generators/rails/encryption_key_file/encryption_key_file_generator.rb

@@ -26,8 +26,7 @@ module Rails
       end
 
       def add_key_file_silently(key_path, key = nil)
-        create_file key_path, key || ActiveSupport::EncryptedFile.generate_key
-        key_path.chmod 0600
+        create_file key_path, key || ActiveSupport::EncryptedFile.generate_key, perm: 0600
       end
 
       def ignore_key_file(key_path, ignore: key_ignore(key_path))

railties/railties.gemspec

@@ -42,7 +42,7 @@ Gem::Specification.new do |s|
 
   s.add_dependency "rackup", ">= 1.0.0"
   s.add_dependency "rake", ">= 12.2"
-  s.add_dependency "thor", "~> 1.0"
+  s.add_dependency "thor", "~> 1.0", ">= 1.2.2"
   s.add_dependency "zeitwerk", "~> 2.6"
   s.add_dependency "irb"