disinto-admin/disinto
1
0
Fork 0
Code Issues 11 Pull requests Projects Releases Packages Wiki Activity Actions

fix: fix: env.sh should not source .env inside containers — compose env is the source of truth (#378)
All checks were successful
ci/woodpecker/push/ci Pipeline was successful
Details
ci/woodpecker/pr/ci Pipeline was successful
Details
ci/woodpecker/pr/smoke-init Pipeline was successful
Details

Browse source
This commit is contained in:
Agent 2026-04-08 05:07:09 +00:00
parent 7915b8c685
commit 0721ec6cd4
1 changed files with 38 additions and 39 deletions
Download patch file Download diff file Expand all files Collapse all files

77
lib/env.sh
View file

@ -20,48 +20,47 @@ fi
export DISINTO_LOG_DIR export DISINTO_LOG_DIR
# Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env. # Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env.
# Always source .env — cron jobs inside the container do NOT inherit compose # Inside containers (DISINTO_CONTAINER=1), compose environment is the source of truth.
# env vars (FORGE_TOKEN, etc.). Only FORGE_URL is preserved across .env # On bare metal, .env/.env.enc is sourced to provide default values.
# sourcing because compose injects http://forgejo:3000 while .env has if [ "${DISINTO_CONTAINER:-}" != "1" ]; then
# http://localhost:3000. FORGE_TOKEN is NOT preserved so that refreshed if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
# tokens in .env take effect immediately in running containers. set -a
if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then _saved_forge_url="${FORGE_URL:-}"
set -a # Use temp file + validate dotenv format before sourcing (avoids eval injection)
_saved_forge_url="${FORGE_URL:-}" # SOPS -d automatically verifies MAC/GCM authentication tag during decryption
# Use temp file + validate dotenv format before sourcing (avoids eval injection) _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
# SOPS -d automatically verifies MAC/GCM authentication tag during decryption if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then
_tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; } echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2
if ! sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" > "$_tmpenv" 2>/dev/null; then rm -f "$_tmpenv"
echo "Error: failed to decrypt .env.enc — decryption failed, possible corruption" >&2 exit 1
fi
# Validate: non-empty, non-comment lines must match KEY=value pattern
# Filter out blank lines and comments before validation
_validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true)
if [ -n "$_validated" ]; then
# Write validated content to a second temp file and source it
_validated_env=$(mktemp)
printf '%s\n' "$_validated" > "$_validated_env"
# shellcheck source=/dev/null
source "$_validated_env"
rm -f "$_validated_env"
else
echo "Error: .env.enc decryption output failed format validation" >&2
rm -f "$_tmpenv"
exit 1
fi
rm -f "$_tmpenv" rm -f "$_tmpenv"
exit 1 set +a
fi [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
# Validate: non-empty, non-comment lines must match KEY=value pattern elif [ -f "$FACTORY_ROOT/.env" ]; then
# Filter out blank lines and comments before validation # Preserve compose-injected FORGE_URL (localhost in .env != forgejo in Docker)
_validated=$(grep -E '^[A-Za-z_][A-Za-z0-9_]*=' "$_tmpenv" 2>/dev/null || true) _saved_forge_url="${FORGE_URL:-}"
if [ -n "$_validated" ]; then set -a
# Write validated content to a second temp file and source it
_validated_env=$(mktemp)
printf '%s\n' "$_validated" > "$_validated_env"
# shellcheck source=/dev/null # shellcheck source=/dev/null
source "$_validated_env" source "$FACTORY_ROOT/.env"
rm -f "$_validated_env" set +a
else [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
echo "Error: .env.enc decryption output failed format validation" >&2
rm -f "$_tmpenv"
exit 1
fi fi
rm -f "$_tmpenv"
set +a
[ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
elif [ -f "$FACTORY_ROOT/.env" ]; then
# Preserve compose-injected FORGE_URL (localhost in .env != forgejo in Docker)
_saved_forge_url="${FORGE_URL:-}"
set -a
# shellcheck source=/dev/null
source "$FACTORY_ROOT/.env"
set +a
[ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
fi fi
# Allow per-container token override (#375): .env sets the default FORGE_TOKEN # Allow per-container token override (#375): .env sets the default FORGE_TOKEN