fix: lib/git-creds.sh + docker/edge/entrypoint-edge.sh: read $FORGE_PASS from env at git-runtime instead of baking it into the credential helper file (#669)

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

docker/edge/entrypoint-edge.sh

@@ -64,12 +64,13 @@ if [ -n "${FORGE_PASS:-}" ] && [ -n "${FORGE_URL:-}" ]; then
 
   cat > "${HOME}/.git-credentials-helper" <<CREDEOF
 #!/bin/sh
+# Reads \$FORGE_PASS from env at runtime — file is safe to read on disk.
 [ "\$1" = "get" ] || exit 0
 cat >/dev/null
 echo "protocol=${_forge_proto}"
 echo "host=${_forge_host}"
 echo "username=${_bot_user}"
-echo "password=${FORGE_PASS}"
+echo "password=\$FORGE_PASS"
 CREDEOF
   chmod 755 "${HOME}/.git-credentials-helper"
   git config --global credential.helper "${HOME}/.git-credentials-helper"