440a191138
The `if: always()` conditional on the env-file cleanup step in both deploy workflows is what makes the ADR-011 single-tenant runner trust model safe: secrets land on disk before each deploy and are wiped unconditionally afterwards. A future workflow refactor that drops `if: always()` would silently leave plaintext secrets on the runner on any failed deploy. The ADR documents this; the workflow file did not. Adds a prominent inline comment so the next reader of the YAML sees the constraint without having to cross-reference ADR-011. No behaviour change — both workflows still parse. Addresses @nora's round-2 suggestion on PR #499 — "linchpin of the ADR-011 trust model". Co-Authored-By: Claude Opus 4.7 <noreply@anthropic.com>
5.2 KiB
5.2 KiB