From dec0001bd10ac4d8cecec621ed2ae6d081219cbb Mon Sep 17 00:00:00 2001
From: Marcel <marcel@familienarchiv>
Date: Sat, 16 May 2026 08:53:49 +0200
Subject: [PATCH] ci(obs): chmod 600 obs-secrets.env after creation in both
 workflows
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

The heredoc creates the file with default umask permissions (644 —
world-readable). Setting 600 immediately after creation prevents other
processes on the host from reading the Grafana, GlitchTip, and Postgres
credentials. Defence-in-depth for the single-tenant VPS.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .gitea/workflows/nightly.yml | 1 +
 .gitea/workflows/release.yml | 1 +
 2 files changed, 2 insertions(+)

diff --git a/.gitea/workflows/nightly.yml b/.gitea/workflows/nightly.yml
index 50219afc..4ed4bb23 100644
--- a/.gitea/workflows/nightly.yml
+++ b/.gitea/workflows/nightly.yml
@@ -146,6 +146,7 @@ jobs:
           POSTGRES_PASSWORD=${{ secrets.STAGING_POSTGRES_PASSWORD }}
           POSTGRES_HOST=archiv-staging-db-1
           EOF
+          chmod 600 /opt/familienarchiv/obs-secrets.env
 
       - name: Validate observability compose config
         # Dry-run: resolves all variable substitutions and reports any missing
diff --git a/.gitea/workflows/release.yml b/.gitea/workflows/release.yml
index 5e4d12a2..a45f48a7 100644
--- a/.gitea/workflows/release.yml
+++ b/.gitea/workflows/release.yml
@@ -114,6 +114,7 @@ jobs:
           POSTGRES_PASSWORD=${{ secrets.PROD_POSTGRES_PASSWORD }}
           POSTGRES_HOST=archiv-production-db-1
           EOF
+          chmod 600 /opt/familienarchiv/obs-secrets.env
 
       - name: Validate observability compose config
         # Dry-run: resolves all variable substitutions and reports any missing