[BUG] Secrets permission mode value does not comply with current Compose Specification

[shantanoo-desai]

Description

According to the Long Syntax Description for Secrets in the Compose Specification Docs:

mode: The permissions for the file to be mounted in /run/secrets/ in the service's task containers, in octal notation. Default value is world-readable permissions (mode 0444). The writable bit must be ignored if set. The executable bit may be set.

However, based on the implementation for pkg/compose/secrets.go the value is set to 0o400.

Steps To Reproduce

For the following Compose File docker-compose.alpine.yml:

services:
  demo:
    image: alpine
    secrets:
      - foo

secrets:
    foo:
      environment: FOO

mounting a secret via an environment variable via CLI:

$ FOO=hello docker compose -f docker-compose.alpine.yml run demo stat -c "%a" /run/secrets/foo

provides the following output:

[+] Building 0.0s (0/0)                                                                                                                                                                                            
[+] Building 0.0s (0/0)                                                                                                                                                                                            
400

Compose Version

v2.18.1 / 2.19.1

Docker Environment

Client:
 Version:    24.0.0
 Context:    default
 Debug Mode: false
 Plugins:
  buildx: Docker Buildx (Docker Inc.)
    Version:  0.10.4
    Path:     /usr/lib/docker/cli-plugins/docker-buildx
  compose: Docker Compose (Docker Inc.)
    Version:  2.18.1
    Path:     /usr/lib/docker/cli-plugins/docker-compose

has also been tested on Docker Engine v24.0.3

Anything else?

No response