update verbiage; add comments

README.md

@@ -49,19 +49,19 @@ Refer [here](https://github.com/actions/checkout/blob/v1/README.md) for previous
     # with the local git config, which enables your scripts to run authenticated git
     # commands. The post-job step removes the PAT.
     #
-    # We recommend creating a service account with the least permissions necessary.
-    # Also when generating a new PAT, select the least scopes necessary.
+    # We recommend using a service account with the least permissions necessary. Also
+    # when generating a new PAT, select the least scopes necessary.
     #
     # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     #
     # Default: ${{ github.token }}
     token: ''
 
-    # SSH key used to fetch the repository. SSH key is configured with the local git
-    # config, which enables your scripts to run authenticated git commands. The
+    # SSH key used to fetch the repository. The SSH key is configured with the local
+    # git config, which enables your scripts to run authenticated git commands. The
     # post-job step removes the SSH key.
     #
-    # We recommend creating a service account with the least permissions necessary.
+    # We recommend using a service account with the least permissions necessary.
     #
     # [Learn more about creating and using encrypted secrets](https://help.github.com/en/actions/automating-your-workflow-with-github-actions/creating-and-using-encrypted-secrets)
     ssh-key: ''

__test__/git-auth-helper.test.ts

@@ -320,6 +320,8 @@ describe('git-auth-helper tests', () => {
     ).toString()
     expect(actualSshKeyContent).toBe(settings.sshKey + '\n')
     if (!isWindows) {
+      // Assert read/write for user, not group or others.
+      // Otherwise SSH client will error.
       expect((await fs.promises.stat(actualSshKeyPath)).mode & 0o777).toBe(
         0o600
       )

action.yml

@@ -16,7 +16,7 @@ inputs:
       commands. The post-job step removes the PAT.
 
 
-      We recommend creating a service account with the least permissions necessary.
+      We recommend using a service account with the least permissions necessary.
       Also when generating a new PAT, select the least scopes necessary.
 
 
@@ -24,12 +24,12 @@ inputs:
     default: ${{ github.token }}
   ssh-key:
     description: >
-      SSH key used to fetch the repository. SSH key is configured with the local
+      SSH key used to fetch the repository. The SSH key is configured with the local
       git config, which enables your scripts to run authenticated git commands.
       The post-job step removes the SSH key.
 
 
-      We recommend creating a service account with the least permissions necessary.
+      We recommend using a service account with the least permissions necessary.
 
 
       [Learn more about creating and using