disinto-admin/disinto
1
0
Fork 0
Code Issues 15 Pull requests Projects Releases Packages Wiki Activity Actions

fix: fix: env.sh save/restore should only protect FORGE_URL, not FORGE_TOKEN (#364) #365

Merged
dev-qwen merged 1 commit from fix/issue-364 into main 2026-04-07 17:36:09 +00:00
Conversation 2 Commits 1 Files changed 1 +4 -8
1 changed files with 4 additions and 8 deletions
Download patch file Download diff file Expand all files Collapse all files

12
lib/env.sh
View file

@ -21,14 +21,13 @@ export DISINTO_LOG_DIR
# Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env. # Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env.
# Always source .env — cron jobs inside the container do NOT inherit compose # Always source .env — cron jobs inside the container do NOT inherit compose
# env vars (FORGE_TOKEN, etc.). Compose-injected vars (like FORGE_URL) are # env vars (FORGE_TOKEN, etc.). Only FORGE_URL is preserved across .env
# already set and won't be clobbered since env.sh uses ${VAR:-default} patterns # sourcing because compose injects http://forgejo:3000 while .env has
# for derived values. FORGE_URL from .env (localhost:3000) is overridden below # http://localhost:3000. FORGE_TOKEN is NOT preserved so that refreshed
# by the compose-injected value when running via docker exec. # tokens in .env take effect immediately in running containers.
if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
set -a set -a
_saved_forge_url="${FORGE_URL:-}" _saved_forge_url="${FORGE_URL:-}"
_saved_forge_token="${FORGE_TOKEN:-}"
# Use temp file + validate dotenv format before sourcing (avoids eval injection) # Use temp file + validate dotenv format before sourcing (avoids eval injection)
# SOPS -d automatically verifies MAC/GCM authentication tag during decryption # SOPS -d automatically verifies MAC/GCM authentication tag during decryption
_tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; } _tmpenv=$(mktemp) || { echo "Error: failed to create temp file for .env.enc" >&2; exit 1; }
@ -55,17 +54,14 @@ if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
rm -f "$_tmpenv" rm -f "$_tmpenv"
set +a set +a
[ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url" [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
[ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token"
elif [ -f "$FACTORY_ROOT/.env" ]; then elif [ -f "$FACTORY_ROOT/.env" ]; then
# Preserve compose-injected FORGE_URL (localhost in .env != forgejo in Docker) # Preserve compose-injected FORGE_URL (localhost in .env != forgejo in Docker)
_saved_forge_url="${FORGE_URL:-}" _saved_forge_url="${FORGE_URL:-}"
_saved_forge_token="${FORGE_TOKEN:-}"
set -a set -a
# shellcheck source=/dev/null # shellcheck source=/dev/null
source "$FACTORY_ROOT/.env" source "$FACTORY_ROOT/.env"
set +a set +a
[ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url" [ -n "$_saved_forge_url" ] && export FORGE_URL="$_saved_forge_url"
[ -n "$_saved_forge_token" ] && export FORGE_TOKEN="$_saved_forge_token"
fi fi
# PATH: foundry, node, system # PATH: foundry, node, system