From a47564934d3e9e1bb7d8adfc14c12cf4d5aed787 Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Tue, 2 Jun 2026 19:37:56 +0200
Subject: [PATCH] ci(deploy): harden deploy-obs config step with set -euo
 pipefail

A failed cp/mkdir in the deploy-configs step was previously swallowed (the step
had no set -e), so a broken config copy could still reach the validate step. The
five-key guard catches empty secrets but not a failed copy. -u also catches a
typo'd env var name. Raised in review (Sara, Tobias).

Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
---
 .gitea/actions/deploy-obs/action.yml | 1 +
 1 file changed, 1 insertion(+)

diff --git a/.gitea/actions/deploy-obs/action.yml b/.gitea/actions/deploy-obs/action.yml
index 97d2f2a8..59a90f37 100644
--- a/.gitea/actions/deploy-obs/action.yml
+++ b/.gitea/actions/deploy-obs/action.yml
@@ -53,6 +53,7 @@ runs:
         POSTGRES_PASSWORD: ${{ inputs.postgres_password }}
         POSTGRES_HOST: ${{ inputs.postgres_host }}
       run: |
+        set -euo pipefail
         rm -rf /opt/familienarchiv/infra/observability
         mkdir -p /opt/familienarchiv/infra/observability
         cp -r infra/observability/. /opt/familienarchiv/infra/observability/