The encrypted models.yml is named private_encrypted_models.yml.age so
chezmoi *should* set 600 on decrypt, but on boxes where the file
already existed from a prior apply (before the rename), the perm stays
at umask default (644). This run_onchange script normalizes to 600.
Runs only when the script body changes (chezmoi hashes the rendered
content). On a fresh apply, it brings the perm to 600 once, then stays
silent on subsequent applies until the body changes again.
