From a80bdde5e4815b7d951b18d7b2ba60835e384e4e Mon Sep 17 00:00:00 2001
From: johba <johba@disinto>
Date: Sat, 28 Mar 2026 13:43:17 +0000
Subject: [PATCH] =?UTF-8?q?fix:=20cron=20polls=20get=20no=20FORGE=5FTOKEN?=
 =?UTF-8?q?=20=E2=80=94=20env.sh=20skipped=20.env=20in=20container?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Root cause: env.sh skipped sourcing .env when DISINTO_CONTAINER=1,
assuming compose injects all env vars. But cron jobs do NOT inherit
compose env vars — they only get crontab-level variables.

Result: FORGE_TOKEN was empty in every cron poll. API calls returned
nothing, polls silently found "no open PRs" and exited.

Fix: always source .env regardless of DISINTO_CONTAINER. Compose env
vars (FORGE_URL) are set in the crontab env and take precedence.
Entrypoint also adds FORGE_URL to crontab env vars.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 lib/env.sh | 30 +++++++++++++++---------------
 1 file changed, 15 insertions(+), 15 deletions(-)

diff --git a/lib/env.sh b/lib/env.sh
index 48734a5..7f0ad2d 100755
--- a/lib/env.sh
+++ b/lib/env.sh
@@ -20,21 +20,21 @@ fi
 export DISINTO_LOG_DIR
 
 # Load secrets: prefer .env.enc (SOPS-encrypted), fall back to plaintext .env.
-# Inside the container, compose already injects env vars via env_file + environment
-# overrides (e.g. FORGE_URL=http://forgejo:3000).  Re-sourcing .env would clobber
-# those compose-level values, so we skip it when DISINTO_CONTAINER=1.
-if [ "${DISINTO_CONTAINER:-}" != "1" ]; then
-  if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
-    set -a
-    eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
-      || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
-    set +a
-  elif [ -f "$FACTORY_ROOT/.env" ]; then
-    set -a
-    # shellcheck source=/dev/null
-    source "$FACTORY_ROOT/.env"
-    set +a
-  fi
+# Always source .env — cron jobs inside the container do NOT inherit compose
+# env vars (FORGE_TOKEN, etc.). Compose-injected vars (like FORGE_URL) are
+# already set and won't be clobbered since env.sh uses ${VAR:-default} patterns
+# for derived values. FORGE_URL from .env (localhost:3000) is overridden below
+# by the compose-injected value when running via docker exec.
+if [ -f "$FACTORY_ROOT/.env.enc" ] && command -v sops &>/dev/null; then
+  set -a
+  eval "$(sops -d --output-type dotenv "$FACTORY_ROOT/.env.enc" 2>/dev/null)" \
+    || echo "Warning: failed to decrypt .env.enc — secrets not loaded" >&2
+  set +a
+elif [ -f "$FACTORY_ROOT/.env" ]; then
+  set -a
+  # shellcheck source=/dev/null
+  source "$FACTORY_ROOT/.env"
+  set +a
 fi
 
 # PATH: foundry, node, system