From 440a191138b6baeeed68cbec1d1ae9ffd345f44e Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Mon, 11 May 2026 14:09:12 +0200
Subject: [PATCH] infra(workflows): annotate env-file cleanup as load-bearing
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The `if: always()` conditional on the env-file cleanup step in both
deploy workflows is what makes the ADR-011 single-tenant runner trust
model safe: secrets land on disk before each deploy and are wiped
unconditionally afterwards. A future workflow refactor that drops
`if: always()` would silently leave plaintext secrets on the runner
on any failed deploy.

The ADR documents this; the workflow file did not. Adds a prominent
inline comment so the next reader of the YAML sees the constraint
without having to cross-reference ADR-011. No behaviour change — both
workflows still parse. Addresses @nora's round-2 suggestion on PR
#499 — "linchpin of the ADR-011 trust model".

Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
---
 .gitea/workflows/nightly.yml | 6 ++++++
 .gitea/workflows/release.yml | 6 ++++++
 2 files changed, 12 insertions(+)

diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 870a5a99..1bae7b04 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -122,5 +122,11 @@ jobs:
           echo "All smoke checks passed"
 
       - name: Cleanup env file
+        # LOAD-BEARING: `if: always()` is the linchpin of the ADR-011
+        # single-tenant runner trust model. Every secret in .env.staging
+        # is plain text on the runner filesystem until this step runs.
+        # If a future refactor drops `if: always()`, a failed deploy
+        # leaves the env-file behind. Do not remove this conditional
+        # without first re-evaluating ADR-011.
         if: always()
         run: rm -f .env.staging
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 3d5c99d1..96894fed 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -116,5 +116,11 @@ jobs:
           echo "All smoke checks passed"
 
       - name: Cleanup env file
+        # LOAD-BEARING: `if: always()` is the linchpin of the ADR-011
+        # single-tenant runner trust model. Every secret in
+        # .env.production is plain text on the runner filesystem until
+        # this step runs. If a future refactor drops `if: always()`, a
+        # failed deploy leaves the env-file behind. Do not remove this
+        # conditional without first re-evaluating ADR-011.
         if: always()
         run: rm -f .env.production