Merge pull request 'fix: lib/git-creds.sh + docker/edge/entrypoint-edge.sh: read $FORGE_PASS from env at git-runtime instead of baking it into the credential helper file (#669)' (#670) from fix/issue-669 into main

docker/edge/entrypoint-edge.sh

@@ -64,12 +64,13 @@ if [ -n "${FORGE_PASS:-}" ] && [ -n "${FORGE_URL:-}" ]; then
 
   cat > "${HOME}/.git-credentials-helper" <<CREDEOF
 #!/bin/sh
+# Reads \$FORGE_PASS from env at runtime — file is safe to read on disk.
 [ "\$1" = "get" ] || exit 0
 cat >/dev/null
 echo "protocol=${_forge_proto}"
 echo "host=${_forge_host}"
 echo "username=${_bot_user}"
-echo "password=${FORGE_PASS}"
+echo "password=\$FORGE_PASS"
 CREDEOF
   chmod 755 "${HOME}/.git-credentials-helper"
   git config --global credential.helper "${HOME}/.git-credentials-helper"

lib/git-creds.sh

@@ -49,6 +49,7 @@ configure_git_creds() {
   cat > "$helper_path" <<CREDEOF
 #!/bin/sh
 # Auto-generated git credential helper for Forgejo password auth (#361, #604)
+# Reads \$FORGE_PASS from env at runtime — file is safe to read on disk.
 # Only respond to "get" action; ignore "store" and "erase".
 [ "\$1" = "get" ] || exit 0
 # Read and discard stdin (git sends protocol/host info)
@@ -56,7 +57,7 @@ cat >/dev/null
 echo "protocol=${forge_proto}"
 echo "host=${forge_host}"
 echo "username=${bot_user}"
-echo "password=${FORGE_PASS}"
+echo "password=\$FORGE_PASS"
 CREDEOF
   chmod 755 "$helper_path"