Changes workflow to not write the .env to its own variable to avoid a bug caused by gitea's runner exposing env vars

action.yml

@@ -22,6 +22,10 @@ inputs:
   secrets:
     description: "List of secret IDs and corresponding environment variable names (format: 'SECRET_ID > ENV_VAR')"
     required: true
+  dot-env-path:
+    description: "Path to write the DOT_ENV secret to instead of exporting it via GITHUB_ENV"
+    required: false
+    default: ""
 
 runs:
   using: "composite"
@@ -55,10 +59,17 @@ runs:
           SECRET_VALUE=$(bw get notes "$SECRET_ID" --session "$BW_SESSION" --raw 2>/dev/null)
 
           if [ -n "$SECRET_VALUE" ]; then
-            echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
+            if [ "$ENV_VAR" = "DOT_ENV" ] && [ -n "${{ inputs.dot-env-path }}" ]; then
-            echo "$SECRET_VALUE" >> $GITHUB_ENV
+              mkdir -p "$(dirname "${{ inputs.dot-env-path }}")"
-            echo "EOF" >> $GITHUB_ENV
+              umask 077
-            echo "Stored $SECRET_ID in $ENV_VAR"
+              printf '%s' "$SECRET_VALUE" > "${{ inputs.dot-env-path }}"
+              echo "Stored $SECRET_ID in $ENV_VAR file"
+            else
+              echo "$ENV_VAR<<EOF" >> $GITHUB_ENV
+              echo "$SECRET_VALUE" >> $GITHUB_ENV
+              echo "EOF" >> $GITHUB_ENV
+              echo "Stored $SECRET_ID in $ENV_VAR"
+            fi
           else
             echo "Failed to retrieve secret: $SECRET_ID"
           fi