From e398e9153be18ff612a11f6ab86c0831bf3f7677 Mon Sep 17 00:00:00 2001
From: Iwan Huiting <iwan@qlic.nl>
Date: Wed, 15 Apr 2026 13:58:01 +0200
Subject: [PATCH] Changes workflow to not write the .env to its own variable to
 avoid a bug caused by gitea's runner exposing env vars

---
 action.yml | 19 +++++++++++++++----
 1 file changed, 15 insertions(+), 4 deletions(-)

diff --git a/action.yml b/action.yml
index 6a79f9c..22c7062 100644
--- a/action.yml
+++ b/action.yml
@@ -22,6 +22,10 @@ inputs:
   secrets:
     description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
     required: true
+  dot-env-path:
+    description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -55,10 +59,17 @@ runs:
           SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
 
           if [ -n "$SECRET_VALUE" ]; then
-            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
-            echo "$SECRET_VALUE" >> $GITHUB_ENV
-            echo "EOF" >> $GITHUB_ENV
-            echo "Stored $SECRET_ID in $ENV_VAR"
+            if [ "$ENV_VAR" = "DOT_ENV" ] && [ -n "${{ inputs.dot-env-path }}" ]; then
+              mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
+              umask 077
+              printf '%s' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
+              echo "Stored $SECRET_ID in $ENV_VAR file"
+            else
+              echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
+              echo "$SECRET_VALUE" >> $GITHUB_ENV
+              echo "EOF" >> $GITHUB_ENV
+              echo "Stored $SECRET_ID in $ENV_VAR"
+            fi
           else
             echo "Failed to retrieve secret: $SECRET_ID"
           fi