From 4b2728de272b94e017fc418929206c9ebccc1e6f Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Wed, 11 Mar 2026 17:24:57 -0700
Subject: [PATCH] fix: let docker-compose env vars take precedence over
 Infisical

Uses ${VAR:-default} pattern so pre-set env vars (from .env or
docker-compose) are not overwritten by Infisical values. Useful
when a secret needs regeneration but Infisical can't be updated
via the read-only machine identity.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 entrypoint.sh | 3 ++-
 1 file changed, 2 insertions(+), 1 deletion(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 8e8ea1c..22c116c 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -34,7 +34,8 @@ fetch_secrets() {
 
     for (const s of secrets.secrets) {
       const escaped = s.secretValue.replace(/'/g, \"'\\\\''\" );
-      console.log('export ' + s.secretKey + \"='\" + escaped + \"'\");
+      // Only set if not already defined (docker-compose env takes precedence)
+      console.log('export ' + s.secretKey + \"=\\${\" + s.secretKey + \":-'\" + escaped + \"'}\");
     }
   } catch (e) { console.error('[infisical:$5] Error:', e.message); process.exit(1); }
 })();