From a19a1f9a8e35027a4c29d558726939b770860359 Mon Sep 17 00:00:00 2001
From: Zeke Abshire <zekeabshire@gmail.com>
Date: Thu, 21 May 2026 20:26:49 -0500
Subject: [PATCH] Added env file support

---
 README.md           |  8 ++++++++
 deploy/action.yml   | 23 ++++++++++++++++++++++-
 deploy/deploy.sh    | 34 ++++++++++++++++++++++++++--------
 examples/deploy.yml |  3 +++
 4 files changed, 59 insertions(+), 9 deletions(-)

diff --git a/README.md b/README.md
index b241caf..8923a06 100644
--- a/README.md
+++ b/README.md
@@ -96,6 +96,14 @@ Port the app listens on inside the container (default `3000`)
 
 Extra `KEY=VALUE` docker build args (space-separated)
 
+`env-vars`
+
+Runtime env vars for the container, one `KEY=VALUE` per line. Merged on top of `/opt/apps/${app-name}/.env.${environment}` on the runner — keys defined here win. Reference secrets here so values stay masked in logs.
+
+    env-vars: |
+      DATABASE_URL=${{ secrets.DATABASE_URL }}
+      API_KEY=${{ secrets.API_KEY }}
+
 ### Cleanup
 
 Stops the preview container and removes its Pangolin resource. Intended for `delete` branch events — the slug is derived from the branch name internally.
diff --git a/deploy/action.yml b/deploy/action.yml
index 5ade613..45d1a00 100644
--- a/deploy/action.yml
+++ b/deploy/action.yml
@@ -16,6 +16,13 @@ inputs:
     required: false
     default: ""
     description: Extra docker build args (space-separated KEY=VALUE pairs)
+  env-vars:
+    required: false
+    default: ""
+    description: |
+      Runtime env vars for the container, one KEY=VALUE per line.
+      Merged on top of /opt/apps/${app-name}/.env.${environment} on the runner;
+      keys defined here win. Use secrets to avoid leaking values into logs.
 
 runs:
   using: composite
@@ -66,6 +73,19 @@ runs:
           -t ${{ inputs.app-name }}:${{ steps.derive.outputs.tag }} \
           -f dockerfile .
 
+    - name: Write workflow env-vars to file
+      id: env-file
+      shell: bash
+      env:
+        ENV_VARS: ${{ inputs.env-vars }}
+      run: |
+        OVERRIDE_FILE=""
+        if [[ -n "$ENV_VARS" ]]; then
+          OVERRIDE_FILE=$(mktemp)
+          printf '%s\n' "$ENV_VARS" > "$OVERRIDE_FILE"
+        fi
+        echo "path=$OVERRIDE_FILE" >> "$GITHUB_OUTPUT"
+
     - name: Deploy container
       shell: bash
       run: |
@@ -74,7 +94,8 @@ runs:
           --tag "${{ steps.derive.outputs.tag }}" \
           --port "${{ steps.derive.outputs.port }}" \
           --internal-port "${{ inputs.internal-port }}" \
-          --env "${{ steps.derive.outputs.environment }}"
+          --env "${{ steps.derive.outputs.environment }}" \
+          --env-override "${{ steps.env-file.outputs.path }}"
 
     - name: Register Pangolin resource
       shell: bash
diff --git a/deploy/deploy.sh b/deploy/deploy.sh
index d71a6b4..bd26c74 100644
--- a/deploy/deploy.sh
+++ b/deploy/deploy.sh
@@ -6,27 +6,45 @@ TAG=""
 PORT=""
 INTERNAL_PORT="3000"
 ENV=""
+ENV_OVERRIDE=""
 
 while [[ $# -gt 0 ]]; do
 case $1 in
-    --name)          APP_NAME="$2";      shift 2 ;;
-    --tag)           TAG="$2";           shift 2 ;;
-    --port)          PORT="$2";          shift 2 ;;
-    --internal-port) INTERNAL_PORT="$2"; shift 2 ;;
-    --env)           ENV="$2";           shift 2 ;;
+    --name)          APP_NAME="$2";     shift 2 ;;
+    --tag)           TAG="$2";          shift 2 ;;
+    --port)          PORT="$2";         shift 2 ;;
+    --internal-port) INTERNAL_PORT="$2";shift 2 ;;
+    --env)           ENV="$2";          shift 2 ;;
+    --env-override)  ENV_OVERRIDE="$2"; shift 2 ;;
     *) echo "Unknown arg: $1"; exit 1 ;;
 esac
 done
 
 CONTAINER="${APP_NAME}-${TAG}"
+ON_DISK="/opt/apps/${APP_NAME}/.env.${ENV}"
 
 echo "→ Deploying container: ${CONTAINER} on port ${PORT}"
 
 docker stop "${CONTAINER}" 2>/dev/null && docker rm "${CONTAINER}" 2>/dev/null || true
 
 ENV_FILE_ARG=""
-if [[ -f "/opt/apps/${APP_NAME}/.env.${ENV}" ]]; then
-ENV_FILE_ARG="--env-file /opt/apps/${APP_NAME}/.env.${ENV}"
+HAS_ON_DISK=0
+HAS_OVERRIDE=0
+[[ -f "${ON_DISK}" ]] && HAS_ON_DISK=1
+[[ -n "${ENV_OVERRIDE}" && -f "${ENV_OVERRIDE}" ]] && HAS_OVERRIDE=1
+
+if (( HAS_ON_DISK == 1 && HAS_OVERRIDE == 0 )); then
+  ENV_FILE_ARG="--env-file ${ON_DISK}"
+elif (( HAS_OVERRIDE == 1 && HAS_ON_DISK == 0 )); then
+  ENV_FILE_ARG="--env-file ${ENV_OVERRIDE}"
+elif (( HAS_ON_DISK == 1 && HAS_OVERRIDE == 1 )); then
+  MERGED=$(mktemp)
+  # On-disk first, override second; tac/awk/tac keeps the last occurrence per key.
+  { cat "${ON_DISK}"; echo; cat "${ENV_OVERRIDE}"; } \
+    | grep -Ev '^[[:space:]]*(#|$)' \
+    | tac | awk -F= '!seen[$1]++' | tac \
+    > "${MERGED}"
+  ENV_FILE_ARG="--env-file ${MERGED}"
 fi
 
 docker run -d \
@@ -38,4 +56,4 @@ docker run -d \
 ${ENV_FILE_ARG} \
 "${APP_NAME}:${TAG}"
 
-echo "✓ Container ${CONTAINER} running on 0.0.0.0:${PORT}"
\ No newline at end of file
+echo "✓ Container ${CONTAINER} running on 0.0.0.0:${PORT}"
diff --git a/examples/deploy.yml b/examples/deploy.yml
index da547de..dc4d042 100644
--- a/examples/deploy.yml
+++ b/examples/deploy.yml
@@ -24,6 +24,9 @@ jobs:
         with:
           app-name: ${{ vars.APP_NAME }}
           branch: ${{ github.ref_name }}
+          env-vars: |
+            DATABASE_URL=${{ secrets.DATABASE_URL }}
+            API_KEY=${{ secrets.API_KEY }}
 
   cleanup-preview:
     if: github.event_name == 'delete' && github.event.ref_type == 'branch'