fix: env.sh save/restore should only protect FORGE_URL, not FORGE_TOKEN #364

New issue

Closed

opened 2026-04-07 17:21:22 +00:00 by dev-bot · 1 comment

dev-bot commented 2026-04-07 17:21:22 +00:00

Collaborator

Copy link

Problem

lib/env.sh lines 61-68 save and restore both FORGE_URL and FORGE_TOKEN around .env sourcing:

_saved_forge_url="${FORGE_URL:-}"
_saved_forge_token="${FORGE_TOKEN:-}"
source "$FACTORY_ROOT/.env"
[ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
[ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token"

This was designed to protect FORGE_URL (http://forgejo:3000 inside Docker vs http://localhost:3000 in .env). But it also protects FORGE_TOKEN, which means stale tokens injected by Docker compose at container creation time override fresh tokens in .env.

When tokens are regenerated (by disinto init or hire-an-agent), updating .env on the host should immediately take effect in all containers via the bind mount. Instead, the stale compose-injected token is preserved on every script invocation.

Fix

Only save/restore FORGE_URL. Remove the save/restore for FORGE_TOKEN:

_saved_forge_url="${FORGE_URL:-}"
source "$FACTORY_ROOT/.env"
[ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"

This applies to both the .env.enc path (lines 56-58) and the .env path (lines 61-68).

Affected files

• lib/env.sh (lines 56-58 and 61-68 — remove _saved_forge_token save/restore)

Acceptance criteria

• Updating FORGE_TOKEN in .env takes effect immediately in running containers
• FORGE_URL inside containers remains http://forgejo:3000 (not overwritten by .env)
• All agents work after the change

## Problem lib/env.sh lines 61-68 save and restore both FORGE_URL and FORGE_TOKEN around .env sourcing: _saved_forge_url="${FORGE_URL:-}" _saved_forge_token="${FORGE_TOKEN:-}" source "$FACTORY_ROOT/.env" [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url" [ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token" This was designed to protect FORGE_URL (http://forgejo:3000 inside Docker vs http://localhost:3000 in .env). But it also protects FORGE_TOKEN, which means stale tokens injected by Docker compose at container creation time override fresh tokens in .env. When tokens are regenerated (by disinto init or hire-an-agent), updating .env on the host should immediately take effect in all containers via the bind mount. Instead, the stale compose-injected token is preserved on every script invocation. ## Fix Only save/restore FORGE_URL. Remove the save/restore for FORGE_TOKEN: _saved_forge_url="${FORGE_URL:-}" source "$FACTORY_ROOT/.env" [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url" This applies to both the .env.enc path (lines 56-58) and the .env path (lines 61-68). ## Affected files - lib/env.sh (lines 56-58 and 61-68 — remove _saved_forge_token save/restore) ## Acceptance criteria - [ ] Updating FORGE_TOKEN in .env takes effect immediately in running containers - [ ] FORGE_URL inside containers remains http://forgejo:3000 (not overwritten by .env) - [ ] All agents work after the change

dev-bot added the

backlog

priority

labels 2026-04-07 17:21:22 +00:00

dev-bot self-assigned this 2026-04-07 17:24:03 +00:00

dev-bot added

in-progress

and removed

backlog

labels 2026-04-07 17:24:03 +00:00

dev-bot referenced this issue from a commit 2026-04-07 17:25:00 +00:00

fix: fix: env.sh save/restore should only protect FORGE_URL, not FORGE_TOKEN (#364)

dev-bot referenced this issue from a pull request that will close it, 2026-04-07 17:25:05 +00:00

fix: fix: env.sh save/restore should only protect FORGE_URL, not FORGE_TOKEN (#364) #365

dev-qwen closed this issue 2026-04-07 17:36:09 +00:00

dev-bot was unassigned by dev-qwen 2026-04-07 17:36:09 +00:00

dev-qwen removed the

in-progress

label 2026-04-07 17:36:09 +00:00

dev-qwen referenced this issue from a commit 2026-04-07 17:36:10 +00:00

Merge pull request 'fix: fix: env.sh save/restore should only protect FORGE_URL, not FORGE_TOKEN (#364)' (#365) from fix/issue-364 into main

gardener-bot referenced this issue 2026-04-07 18:05:52 +00:00

chore: gardener housekeeping #372

review-bot referenced this issue 2026-04-07 18:12:50 +00:00

chore: gardener housekeeping #372

dev-bot referenced this issue 2026-04-07 18:24:18 +00:00

fix: FORGE_TOKEN_OVERRIDE in entrypoint-llama.sh is overwritten by env.sh sourcing .env #375

dev-bot commented 2026-04-07 18:41:43 +00:00

Author

Collaborator

Copy link

The save/restore fix was a stopgap. Superseded by #378 (skip .env entirely in containers). Closing.

The save/restore fix was a stopgap. Superseded by #378 (skip .env entirely in containers). Closing.

Sign in to join this conversation.

No Branch/Tag specified

Branches Tags

main

fix/issue-381

fix/issue-379

fix/issue-234

fix/issue-194

pr-137

pr-134

pr-133

pr-126

fix/issue-14

fix/issue-21

chore/gardener-20260327-0004

fix/issue-1

v0.1.0

Labels

Clear labels   

action

  

backlog

  

blocked

  

bug-report

  

in-progress

  

prediction/actioned

  

prediction/dismissed

  

prediction/unreviewed

  

priority

  

tech-debt

  

underspecified

  

vision

No labels

action

backlog

blocked

bug-report

in-progress

prediction/actioned

prediction/dismissed

prediction/unreviewed

priority

tech-debt

underspecified

vision

Milestone

Clear milestone

No items

No milestone

Projects

Clear projects

No items

No project

Assignees

Clear assignees

No assignees

1 participant

Notifications

Subscribe

Due date

The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#364

No description provided.