feat(pass): add --env-file to pass run#526
Conversation
joe0BAB
force-pushed
the
feat/pass-run-flags
branch
2 times, most recently
from
9a7bb4f to
386852d
Compare
|
/review |
`pass run` now reads variables from one or more dotenv files in addition to the process environment, matching `op run --env-file` ergonomics. - `--env-file FILE` is repeatable. - Merge order: process env first, each file in order; later entries override earlier ones. - `se://` references in file values resolve through the daemon the same way process env vars already do. - Missing or unreadable files are a hard error before exec — the child never starts with a partially-merged environment. Parsing uses github.com/joho/godotenv to match real dotenv semantics (quoted values, comments, etc.) without hand-rolling a parser. Signed-off-by: Johannes Großmann <grossmann.johannes@t-online.de>
joe0BAB
force-pushed
the
feat/pass-run-flags
branch
from
386852d to
0b001d3
Compare
|
/review |
![docker-agent[bot]](https://avatars.githubusercontent.com/in/2787757?s=60&v=4){kind=small}
| } | ||
| } | ||
| for _, f := range files { | ||
| parsed, err := godotenv.Read(f) |
There was a problem hiding this comment.
BUG: godotenv.Read expands $VAR using only the in-file variable map; process-env vars silently become empty strings
godotenv.Read(f) resolves $VAR references during parsing using only variables defined within the same file. The process environment is never consulted.
parsed, err := godotenv.Read(f) // expansion is in-file-onlySilent failure scenario: If a user writes a parameterised secret reference in their .env file:
# .env file
SE_TOKEN=se://$ACCOUNT/prod/db
expecting $ACCOUNT to come from the process environment, godotenv.Read silently expands it to the empty string, yielding se:///prod/db. This invalid path is then sent to the secrets daemon, which returns a cryptic error — the user has no indication that variable expansion failed.
Fix: Use godotenv.Parse (which returns raw values without expansion) instead of godotenv.Read, then perform variable expansion against the merged environment map after combining process env and file values:
parsed, err := godotenv.Parse(file) // no expansion
// then apply os.Expand(v, mergedMap.Get) on values that contain $Or at minimum, document this limitation prominently in the flag help text so users know $VAR in .env values only references other variables in the same file.
2 participants
pass runnow reads variables from one or more dotenv files in addition to the process environment, matchingop run --env-fileergonomics.--env-file FILEis repeatable.se://references in file values resolve through the daemon the same way process env vars already do.Parsing uses github.com/joho/godotenv to match real dotenv semantics (quoted values, comments, etc.) without hand-rolling a parser.