joakimp/pi-devbox
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

compose: deliver secrets via env_file only (drop environment: passthrough)

Browse Source 
Removes GITEA_ACCESS_TOKEN / GITEA_HOST / GITHUB_PERSONAL_ACCESS_TOKEN from
the compose environment: block. An environment: entry both overrides
env_file AND is interpolated from the host shell, so a stale shell export
(e.g. one auto-loaded by an opencode/dotenv hook) silently shadowed the
users .env — an updated token never reached the container. Secrets now flow
solely via env_file: .env; .env.example already documents every variable.

- docker-compose.yml: drop the 3 passthrough lines + explanatory comment
- README.md: sync the "basic shape" snippet
- CHANGELOG.md: note under Unreleased (no tag bump / unpublished)
This commit is contained in:
pi
2026-06-27 23:48:02 +02:00
parent b7197e88b0
commit c42b237d30
3 changed files with 24 additions and 6 deletions
Download Patch File Download Diff File Expand all files Collapse all files
CHANGELOG.md
+13
View File
@@ -13,6 +13,19 @@ Pre-v1.0.0 tags followed the pi npm version (`v{pi_version}[letter]`).
## Unreleased ## Unreleased
### Changed
- **Secrets are now delivered to the container via `env_file: .env` only; the
`environment:` block no longer re-declares `GITEA_ACCESS_TOKEN`,
`GITEA_HOST`, or `GITHUB_PERSONAL_ACCESS_TOKEN`.** An `environment:` entry
both overrides `env_file:` and is interpolated from the host shell, so a
stale shell export (e.g. one auto-loaded by an opencode/dotenv hook) would
silently shadow the value in your `.env` — an updated token in `.env` never
reached the container. Delivering secrets via `env_file` only decouples the
container from whatever the host shell happens to export. No action needed:
`.env.example` already documents every supported variable. Affects
`docker-compose.yml` and the README “basic shape” snippet.
### Fixed (CI) ### Fixed (CI)
- **`promote-base-latest` now re-points `base-latest` reliably after a - **`promote-base-latest` now re-points `base-latest` reliably after a
README.md
+4 -3
View File
@@ -319,9 +319,10 @@ services:
environment: environment:
- TERM=xterm-256color - TERM=xterm-256color
# - STUDIO_EXPOSE=1 # -studio only: auto-start the socat bridge on boot # - STUDIO_EXPOSE=1 # -studio only: auto-start the socat bridge on boot
- GITEA_ACCESS_TOKEN=${GITEA_ACCESS_TOKEN:-} # Secrets (GITEA_*, GITHUB_*, …) come from env_file: .env above — not
- GITEA_HOST=${GITEA_HOST:-} # duplicated here. An environment: entry overrides env_file and is
- GITHUB_PERSONAL_ACCESS_TOKEN=${GITHUB_PERSONAL_ACCESS_TOKEN:-} # interpolated from the host shell, so a stale shell export would
# silently shadow your .env. See .env.example for the full list.
volumes: volumes:
# Workspace: your host source tree # Workspace: your host source tree
- ${WORKSPACE_PATH:-.}:/workspace - ${WORKSPACE_PATH:-.}:/workspace
docker-compose.yml
+7 -3
View File
@@ -31,9 +31,13 @@ services:
- .env - .env
environment: environment:
- TERM=xterm-256color - TERM=xterm-256color
- GITEA_ACCESS_TOKEN=${GITEA_ACCESS_TOKEN:-} # Secrets (GITEA_*, GITHUB_*, and any others) are delivered to the
- GITEA_HOST=${GITEA_HOST:-} # container via `env_file: .env` above — do NOT duplicate them here.
- GITHUB_PERSONAL_ACCESS_TOKEN=${GITHUB_PERSONAL_ACCESS_TOKEN:-} # An `environment:` entry overrides env_file AND is interpolated from
# the host shell, so a stale shell export (e.g. one auto-loaded by a
# dotenv hook) would silently shadow the value in your .env. Keeping
# secrets env_file-only decouples the container from the host shell.
# See .env.example for the full list of supported variables.
volumes: volumes:
# Host workspace — mount your project here # Host workspace — mount your project here
- ${WORKSPACE_PATH:-.}:/workspace - ${WORKSPACE_PATH:-.}:/workspace