diff --git a/.github/workflows/build-and-test.yaml b/.github/workflows/build-and-test.yaml
index e48fb8b..44ef385 100644
--- a/.github/workflows/build-and-test.yaml
+++ b/.github/workflows/build-and-test.yaml
@@ -1,5 +1,8 @@
 name: CI - Build and Test
-on: [push]
+on:
+  push:
+  pull_request:
+    branches: [ master ]
 jobs:
   build:
     strategy:
diff --git a/.github/workflows/codeql-analysis.yaml b/.github/workflows/codeql-analysis.yaml
index f52b33e..1bfde02 100644
--- a/.github/workflows/codeql-analysis.yaml
+++ b/.github/workflows/codeql-analysis.yaml
@@ -1,7 +1,6 @@
 name: CodeQL Analysis
 on:
   push:
-    branches: [ master ]
   pull_request:
     branches: [ master ]
 jobs:
diff --git a/src/config.c b/src/config.c
index 46d76b5..bd12786 100644
--- a/src/config.c
+++ b/src/config.c
@@ -25,6 +25,7 @@
 #include <stdio.h>
 #include <string.h>
 #include <sys/stat.h>
+#include <unistd.h>
 #if HAVE_SYS_INOTIFY_H
 # include <sys/inotify.h>
 #endif
@@ -129,14 +130,17 @@ int cmusfm_config_read(const char *fname, struct cmusfm_config *conf) {
 /* Write cmusfm configuration to the file. */
 int cmusfm_config_write(const char *fname, struct cmusfm_config *conf) {
 
+	int fd;
 	FILE *f;
 
-	/* create configuration file (truncate previous one) */
-	if ((f = fopen(fname, "w")) == NULL)
+	/* Create configuration file (truncate previous one) and set
+	 * access mode to protect session key from exposure. */
+	if ((fd = creat(fname, S_IRUSR | S_IWUSR)) == -1)
 		return -1;
-
-	/* protect session key from exposure */
-	chmod(fname, S_IWUSR | S_IRUSR);
+	if ((f = fdopen(fd, "w")) == NULL) {
+		close(fd);
+		return -1;
+	}
 
 	fprintf(f, "# authentication\n");
 	fprintf(f, "%s = \"%s\"\n", CMCONF_USER_NAME, conf->user_name);