From 4c45b42cb5487976018f3895f63e0d99d9ff3a53 Mon Sep 17 00:00:00 2001
From: Dennis Gaida <gitea@mail.gaida.biz>
Date: Sat, 9 May 2026 23:04:50 +0000
Subject: [PATCH] feat(config): support GITEA_ACCESS_TOKEN_FILE for Docker
 secrets (#186)

I don't like secrets just being added via environment variables. Add support for the `_FILE` environment variable convention used by Docker secrets.

When `GITEA_ACCESS_TOKEN_FILE` is set, the token is read from the file at that path (e.g. `/run/secrets/gitea_token`). Trailing newlines are stripped to handle the typical Docker secrets file format on both Linux and Windows.

Token resolution precedence (highest to lowest):

  1. `--token` / `-T` CLI flag
  2. `GITEA_ACCESS_TOKEN` env var
  3. `GITEA_ACCESS_TOKEN_FILE` env var

Reviewed-on: https://gitea.com/gitea/gitea-mcp/pulls/186
Reviewed-by: Lunny Xiao <xiaolunwen@gmail.com>
Co-authored-by: Dennis Gaida <gitea@mail.gaida.biz>
Co-committed-by: Dennis Gaida <gitea@mail.gaida.biz>
---
 cmd/cmd.go | 12 ++++++++++++
 1 file changed, 12 insertions(+)

diff --git a/cmd/cmd.go b/cmd/cmd.go
index 83cf7eb..090685a 100644
--- a/cmd/cmd.go
+++ b/cmd/cmd.go
@@ -5,6 +5,7 @@ import (
 	"flag"
 	"fmt"
 	"os"
+	"strings"
 	"text/tabwriter"
 
 	"gitea.com/gitea/gitea-mcp/operation"
@@ -53,6 +54,7 @@ func init() {
 		fmt.Fprintln(w)
 		fmt.Fprintln(w, "Environment variables:")
 		fmt.Fprintf(w, "  GITEA_ACCESS_TOKEN\tProvide access token\n")
+		fmt.Fprintf(w, "  GITEA_ACCESS_TOKEN_FILE\tPath to a file containing the access token (e.g. a Docker secret)\n")
 		fmt.Fprintf(w, "  GITEA_DEBUG\tSet to 'true' for debug mode\n")
 		fmt.Fprintf(w, "  GITEA_HOST\tOverride Gitea host URL\n")
 		fmt.Fprintf(w, "  GITEA_INSECURE\tSet to 'true' to ignore TLS errors\n")
@@ -74,6 +76,16 @@ func init() {
 	if flagPkg.Token == "" {
 		flagPkg.Token = os.Getenv("GITEA_ACCESS_TOKEN")
 	}
+	if flagPkg.Token == "" {
+		if tokenFile := os.Getenv("GITEA_ACCESS_TOKEN_FILE"); tokenFile != "" {
+			data, err := os.ReadFile(tokenFile)
+			if err != nil {
+				fmt.Fprintf(os.Stderr, "error reading GITEA_ACCESS_TOKEN_FILE: %v\n", err)
+				os.Exit(1)
+			}
+			flagPkg.Token = strings.TrimRight(string(data), "\r\n")
+		}
+	}
 
 	if os.Getenv("MCP_MODE") != "" {
 		flagPkg.Mode = os.Getenv("MCP_MODE")