Normalize Infisical secrets before runtime

2025-10-28 12:39:50 +00:00 · 2025-10-28 12:39:50 +00:00 · 21e02bb34f
commit 21e02bb34f
parent 222ad13724
2 changed files with 18 additions and 2 deletions
--- a/.gitea/workflows/deploy.yml
+++ b/.gitea/workflows/deploy.yml
@ -58,7 +58,7 @@ jobs:
          fi

          # Persist a runtime .env so external checks that expect the file succeed.
-          cp "$tmp_file" .env
+          : > .env

          while IFS= read -r line || [ -n "$line" ]; do
            if [ -z "$line" ] || [[ "$line" == \#* ]]; then
@ -66,8 +66,16 @@ jobs:
            fi
            key="${line%%=*}"
            value="${line#*=}"
+            value="${value%$'\r'}"
+            if [[ "$value" == "\""* && "$value" == *"\"" ]]; then
+              value="${value:1:-1}"
+            elif [[ "$value" == "'"* && "$value" == *"'" ]]; then
+              value="${value:1:-1}"
+            fi
+
            echo "::add-mask::$value"
            printf '%s=%s\n' "$key" "$value" >> "$GITHUB_ENV"
+            printf '%s=%s\n' "$key" "$value" >> .env
          done < "$tmp_file"

          rm -f "$tmp_file"
--- a/DEPLOYMENT_GUIDE.md
+++ b/DEPLOYMENT_GUIDE.md
@ -314,7 +314,7 @@ jobs:
              "$CLI_IMAGE" export --format=dotenv > "$tmp_file"
          fi

-          cp "$tmp_file" .env
+          : > .env

          while IFS= read -r line || [ -n "$line" ]; do
            if [ -z "$line" ] || [[ "$line" == \#* ]]; then
@ -322,8 +322,16 @@ jobs:
            fi
            key="${line%%=*}"
            value="${line#*=}"
+            value="${value%$'\r'}"
+            if [[ "$value" == "\""* && "$value" == *"\"" ]]; then
+              value="${value:1:-1}"
+            elif [[ "$value" == "'"* && "$value" == *"'" ]]; then
+              value="${value:1:-1}"
+            fi
+
            echo "::add-mask::$value"
            printf '%s=%s\n' "$key" "$value" >> "$GITHUB_ENV"
+            printf '%s=%s\n' "$key" "$value" >> .env
          done < "$tmp_file"

          rm -f "$tmp_file"