From 97ed8eff3aacdd00f1e278cdce5fe2323ff7427a Mon Sep 17 00:00:00 2001
From: Jeff Emmett <jeffemmett@gmail.com>
Date: Wed, 11 Mar 2026 17:27:21 -0700
Subject: [PATCH] fix: use process.env check instead of shell parameter
 expansion

The ${VAR:-default} syntax caused shell quoting errors inside the
bun -e argument. Instead, skip Infisical values for vars already
set via docker-compose environment.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 entrypoint.sh | 5 +++--
 1 file changed, 3 insertions(+), 2 deletions(-)

diff --git a/entrypoint.sh b/entrypoint.sh
index 22c116c..82779f7 100644
--- a/entrypoint.sh
+++ b/entrypoint.sh
@@ -33,9 +33,10 @@ fetch_secrets() {
     if (!secrets.secrets) { console.error('[infisical:$5] No secrets returned'); process.exit(1); }
 
     for (const s of secrets.secrets) {
+      // Skip if already set via docker-compose/env (env overrides take precedence)
+      if (process.env[s.secretKey]) continue;
       const escaped = s.secretValue.replace(/'/g, \"'\\\\''\" );
-      // Only set if not already defined (docker-compose env takes precedence)
-      console.log('export ' + s.secretKey + \"=\\${\" + s.secretKey + \":-'\" + escaped + \"'}\");
+      console.log('export ' + s.secretKey + \"='\" + escaped + \"'\");
     }
   } catch (e) { console.error('[infisical:$5] Error:', e.message); process.exit(1); }
 })();