0e30e5c570
Five required, no-default inputs (incl. grafana_db_password for the #651 read-only reader role). Four named run: blocks keep the four CI log sections: deploy configs, validate, start, assert health. Secrets map to env: and are written via an unquoted <<EOF heredoc ('$VAR' expands at the shell layer; a quoted delimiter would write the literal var name and config --quiet would pass anyway). A five-key non-empty guard runs right after the write, and chmod 600 is the final operation so the file is never world-readable. ADR-016 absolute paths and the two-file --env-file ordering are preserved. Co-Authored-By: Claude Opus 4.8 <noreply@anthropic.com>
6.1 KiB
6.1 KiB