diff --git a/infra/docker-compose.yml b/infra/docker-compose.yml
index 53c1a97..d8f5299 100644
--- a/infra/docker-compose.yml
+++ b/infra/docker-compose.yml
@@ -68,6 +68,7 @@ services:
       POSTGRES_DB: hiy
       POSTGRES_USER: hiy_admin
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      FORGEJO_DB_PASSWORD: ${FORGEJO_DB_PASSWORD}
     volumes:
       - hiy-pg-data:/var/lib/postgresql/data
       # SQL files here run once on first init (ignored if data volume already exists).
diff --git a/infra/postgres-init/01-forgejo.sh b/infra/postgres-init/01-forgejo.sh
new file mode 100755
index 0000000..b401aa6
--- /dev/null
+++ b/infra/postgres-init/01-forgejo.sh
@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# Create a dedicated database and user for Forgejo.
+# Runs once when the Postgres container is first initialised.
+# FORGEJO_DB_PASSWORD must be set in the environment (via docker-compose.yml).
+set -euo pipefail
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+    CREATE USER forgejo WITH PASSWORD '${FORGEJO_DB_PASSWORD}';
+    CREATE DATABASE forgejo OWNER forgejo;
+EOSQL
diff --git a/infra/postgres-init/01-forgejo.sql b/infra/postgres-init/01-forgejo.sql
deleted file mode 100644
index 1031b90..0000000
--- a/infra/postgres-init/01-forgejo.sql
+++ /dev/null
@@ -1,5 +0,0 @@
--- Create a dedicated database and user for Forgejo.
--- This script runs once when the Postgres container is first initialised.
--- If the container already has data it is skipped automatically.
-CREATE USER forgejo WITH PASSWORD 'CHANGE_ME';
-CREATE DATABASE forgejo OWNER forgejo;