disinto-admin/disinto
1
0
Fork 0
Code Issues 6 Pull requests 3 Projects Releases Packages Wiki Activity Actions

fix: env.sh should not source .env inside containers — compose env is the source of truth #378

New issue
Open
opened 2026-04-07 18:41:27 +00:00 by dev-bot · 0 comments
dev-bot commented 2026-04-07 18:41:27 +00:00
Collaborator
Copy link

Problem

lib/env.sh unconditionally sources .env (or .env.enc) on every script invocation. Inside Docker containers, compose environment: vars are the source of truth. Sourcing .env inside the container overwrites compose-injected values (FORGE_TOKEN, etc.) with stale or wrong values.

This is the root cause of: dev-qwen resolving as dev-bot, stale tokens after regeneration, FORGE_TOKEN_OVERRIDE being clobbered.

Fix

Wrap the .env sourcing block in a container guard:

if [ "${DISINTO_CONTAINER:-}" != "1" ]; then
  # Bare-metal: source .env.enc or .env
  if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
    # ... existing SOPS block ...
  elif [ -f "$FACTORY_ROOT/.env" ]; then
    _saved_forge_url="${FORGE_URL:-}"
    set -a; source "$FACTORY_ROOT/.env"; set +a
    [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
  fi
fi

Inside containers (DISINTO_CONTAINER=1), env vars come from compose. On bare metal, .env is sourced as before.

Affected files

  • lib/env.sh (wrap lines 22-69 in container guard)

Acceptance criteria

  • Inside containers: FORGE_TOKEN from compose is never overwritten
  • On bare metal: .env is still sourced normally
  • Dev-qwen resolves as dev-qwen (not dev-bot) inside agents-llama container
  • All agents work after the change

Regression checklist

  • Must also skip .env.enc SOPS path (line 28) — not just .env
  • Only safe AFTER #379 lands (cron replaced with while-true) — cron jobs have no env vars without .env sourcing
  • All role-specific tokens (FORGE_REVIEW_TOKEN, FORGE_PLANNER_TOKEN, FORGE_GARDENER_TOKEN, FORGE_VAULT_TOKEN, FORGE_SUPERVISOR_TOKEN, FORGE_PREDICTOR_TOKEN, FORGE_ARCHITECT_TOKEN) must come from compose environment
  • WOODPECKER_TOKEN, CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC, CLAUDE_TIMEOUT must come from compose environment
  • FORGE_BOT_USERNAMES (used by review-poll filtering) must come from compose environment
  • Bare-metal deployments must still source .env — guard must be DISINTO_CONTAINER check only

Dependencies

Depends on #379

## Problem lib/env.sh unconditionally sources .env (or .env.enc) on every script invocation. Inside Docker containers, compose environment: vars are the source of truth. Sourcing .env inside the container overwrites compose-injected values (FORGE_TOKEN, etc.) with stale or wrong values. This is the root cause of: dev-qwen resolving as dev-bot, stale tokens after regeneration, FORGE_TOKEN_OVERRIDE being clobbered. ## Fix Wrap the .env sourcing block in a container guard: if [ "${DISINTO_CONTAINER:-}" != "1" ]; then # Bare-metal: source .env.enc or .env if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then # ... existing SOPS block ... elif [ -f "$FACTORY_ROOT/.env" ]; then _saved_forge_url="${FORGE_URL:-}" set -a; source "$FACTORY_ROOT/.env"; set +a [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url" fi fi Inside containers (DISINTO_CONTAINER=1), env vars come from compose. On bare metal, .env is sourced as before. ## Affected files - lib/env.sh (wrap lines 22-69 in container guard) ## Acceptance criteria - [ ] Inside containers: FORGE_TOKEN from compose is never overwritten - [ ] On bare metal: .env is still sourced normally - [ ] Dev-qwen resolves as dev-qwen (not dev-bot) inside agents-llama container - [ ] All agents work after the change ## Regression checklist - [ ] Must also skip .env.enc SOPS path (line 28) — not just .env - [ ] Only safe AFTER #379 lands (cron replaced with while-true) — cron jobs have no env vars without .env sourcing - [ ] All role-specific tokens (FORGE_REVIEW_TOKEN, FORGE_PLANNER_TOKEN, FORGE_GARDENER_TOKEN, FORGE_VAULT_TOKEN, FORGE_SUPERVISOR_TOKEN, FORGE_PREDICTOR_TOKEN, FORGE_ARCHITECT_TOKEN) must come from compose environment - [ ] WOODPECKER_TOKEN, CLAUDE_CODE_DISABLE_NONESSENTIAL_TRAFFIC, CLAUDE_TIMEOUT must come from compose environment - [ ] FORGE_BOT_USERNAMES (used by review-poll filtering) must come from compose environment - [ ] Bare-metal deployments must still source .env — guard must be DISINTO_CONTAINER check only ## Dependencies Depends on #379
dev-bot added the
backlog
 label 2026-04-07 18:41:27 +00:00
Sign in to join this conversation.
No Branch/Tag specified
Branches Tags
main
fix/issue-387
fix/issue-381
fix/issue-379
fix/issue-234
fix/issue-194
pr-137
pr-134
pr-133
pr-126
fix/issue-14
fix/issue-21
chore/gardener-20260327-0004
fix/issue-1
v0.1.0
Labels
Clear labels   
action

   
backlog

   
blocked

   
bug-report

   
in-progress

   
prediction/actioned

   
prediction/dismissed

   
prediction/unreviewed

   
priority

   
tech-debt

   
underspecified

   
vision
No labels
action
backlog
blocked
bug-report
in-progress
prediction/actioned
prediction/dismissed
prediction/unreviewed
priority
tech-debt
underspecified
vision
Milestone
Clear milestone
No items
No milestone
Projects
Clear projects
No items
No project
Assignees
Clear assignees
No assignees
1 participant
Notifications
Due date
The due date is invalid or out of range. Please use the format "yyyy-mm-dd".

No due date set.

Dependencies

No dependencies set.

Reference: disinto-admin/disinto#378
No description provided.
Delete branch "%!s()"

Deleting a branch is permanent. Although the deleted branch may continue to exist for a short time before it actually gets removed, it CANNOT be undone in most cases. Continue?