From 25062be657e8d86f4a9427dd89557eb7dc69016b Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sat, 16 May 2026 09:04:12 +0200
Subject: [PATCH] ci(obs): quote heredoc delimiter in release obs-secrets.env
 write

Same fix as nightly.yml: prevents shell expansion of '$' in secret
values after Gitea renders them. Keep in sync with nightly.yml.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/release.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 7b34728e..b180b667 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -107,7 +107,7 @@ jobs:
           mkdir -p /opt/familienarchiv/infra
           cp -r infra/observability /opt/familienarchiv/infra/
           cp docker-compose.observability.yml /opt/familienarchiv/
-          cat > /opt/familienarchiv/obs-secrets.env <<EOF
+          cat > /opt/familienarchiv/obs-secrets.env <<'EOF'
           GRAFANA_ADMIN_PASSWORD=${{ secrets.GRAFANA_ADMIN_PASSWORD }}
           GLITCHTIP_SECRET_KEY=${{ secrets.GLITCHTIP_SECRET_KEY }}
           POSTGRES_USER=archiv