From 57285ce145e19a2dfafd04691b565fec4d2c8a9a Mon Sep 17 00:00:00 2001
From: Jeffery <jiantw83@yahoo.com>
Date: Tue, 12 May 2026 01:12:32 +0000
Subject: [PATCH] fix: update askpass script to securely read token from env
 var

---
 app/git.js | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/app/git.js b/app/git.js
index 143e848..fe11ac5 100644
--- a/app/git.js
+++ b/app/git.js
@@ -21,11 +21,12 @@ export async function commitAndPush(workspace, _spawnSync = spawnSync) {
   const remoteUrl = `${baseUrl}/${GITEA_REPOSITORY}.git`;
   const repoDir = path.join(workspace, 'repo');
 
-  // Write a temporary askpass script so the token never appears in the URL or process list
+  // Write a temporary askpass script that reads the token from an env var,
+  // so the token value never appears in the script file itself
   const askpassScript = path.join(workspace, '.git-askpass.sh');
-  fs.writeFileSync(askpassScript, `#!/bin/sh\necho "${GITEA_TOKEN}"\n`, { mode: 0o700 });
+  fs.writeFileSync(askpassScript, '#!/bin/sh\necho "$GIT_TOKEN"\n', { mode: 0o700 });
 
-  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token' };
+  const credEnv = { ...process.env, GIT_ASKPASS: askpassScript, GIT_USERNAME: 'x-token', GIT_TOKEN: GITEA_TOKEN };
 
   try {
     if (!fs.existsSync(repoDir)) {