-- Set up a read-only Postgres user that can SELECT only what the sidecar needs.
-- Run as a superuser against the Gitea database.
--
--   psql -U postgres -d gitea -f setup.sql
--
-- Replace 'CHANGE_ME' with a real password and update DATABASE_URL accordingly.

CREATE USER heatmap_ro WITH PASSWORD 'CHANGE_ME';

GRANT CONNECT ON DATABASE gitea TO heatmap_ro;
GRANT USAGE ON SCHEMA public TO heatmap_ro;

-- Only two tables. If Gitea ever renames them, the service breaks loudly,
-- which is what we want.
GRANT SELECT ON "action" TO heatmap_ro;
GRANT SELECT ON "user"   TO heatmap_ro;

-- Sanity check: confirm the user can read what we expect.
-- \c gitea heatmap_ro
-- SELECT count(*) FROM "action";