fix: use FORGEJO_DB_PASSWORD env var in postgres init script

Replaced hardcoded 'CHANGE_ME' in the SQL init file with a shell script
that reads FORGEJO_DB_PASSWORD from the environment. Also pass the variable
into the postgres service in docker-compose.yml so it is available at init time.

https://claude.ai/code/session_01FKCW3FDjNFj6jve4niMFXH

infra/docker-compose.yml

@@ -68,6 +68,7 @@ services:
       POSTGRES_DB: hiy
       POSTGRES_USER: hiy_admin
       POSTGRES_PASSWORD: ${POSTGRES_PASSWORD}
+      FORGEJO_DB_PASSWORD: ${FORGEJO_DB_PASSWORD}
     volumes:
       - hiy-pg-data:/var/lib/postgresql/data
       # SQL files here run once on first init (ignored if data volume already exists).

infra/postgres-init/01-forgejo.sh

@@ -0,0 +1,10 @@
+#!/usr/bin/env bash
+# Create a dedicated database and user for Forgejo.
+# Runs once when the Postgres container is first initialised.
+# FORGEJO_DB_PASSWORD must be set in the environment (via docker-compose.yml).
+set -euo pipefail
+
+psql -v ON_ERROR_STOP=1 --username "$POSTGRES_USER" <<-EOSQL
+    CREATE USER forgejo WITH PASSWORD '${FORGEJO_DB_PASSWORD}';
+    CREATE DATABASE forgejo OWNER forgejo;
+EOSQL

infra/postgres-init/01-forgejo.sql

@@ -1,5 +0,0 @@
--- Create a dedicated database and user for Forgejo.
--- This script runs once when the Postgres container is first initialised.
--- If the container already has data it is skipped automatically.
-CREATE USER forgejo WITH PASSWORD 'CHANGE_ME';
-CREATE DATABASE forgejo OWNER forgejo;