ci(deploy): harden deploy-obs config step with set -euo pipefail

A failed cp/mkdir in the deploy-configs step was previously swallowed (the step had no set -e), so a broken config copy could still reach the validate step. The five-key guard catches empty secrets but not a failed copy. -u also catches a typo'd env var name. Raised in review (Sara, Tobias). Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
2026-06-02 19:37:56 +02:00
parent 02fb16a0bd
commit a47564934d
1 changed files with 1 additions and 0 deletions
--- a/.gitea/actions/deploy-obs/action.yml
+++ b/.gitea/actions/deploy-obs/action.yml
@@ -53,6 +53,7 @@ runs:
        POSTGRES_PASSWORD: ${{ inputs.postgres_password }}
        POSTGRES_HOST: ${{ inputs.postgres_host }}
      run: |
+        set -euo pipefail
        rm -rf /opt/familienarchiv/infra/observability
        mkdir -p /opt/familienarchiv/infra/observability
        cp -r infra/observability/. /opt/familienarchiv/infra/observability/