Fix escaping of ENV

datasette/publish/common.py

@@ -44,7 +44,8 @@ def add_common_publish_arguments_and_options(subcommand):
             click.option(
                 "--plugin-secret",
                 nargs=3,
-                type=str,
+                type=(str, str, str),
+                callback=validate_plugin_secret,
                 multiple=True,
                 help="Secrets to pass to plugins, e.g. --plugin-secret datasette-auth-github client_id xxx",
             ),
@@ -83,3 +84,10 @@ def fail_if_publish_binary_not_installed(binary, publish_target, install_link):
             err=True,
         )
         sys.exit(1)
+
+
+def validate_plugin_secret(ctx, param, value):
+    for plugin_name, plugin_setting, setting_value in value:
+        if "'" in setting_value:
+            raise click.BadParameter("--plugin-secret cannot contain single quotes")
+    return value

datasette/utils/__init__.py

@@ -316,7 +316,7 @@ EXPOSE 8001
 CMD {cmd}""".format(
         environment_variables="\n".join(
             [
-                "ENV {} {}".format(key, value)
+                "ENV {} '{}'".format(key, value)
                 for key, value in (environment_variables or {}).items()
             ]
         ),

docs/datasette-publish-cloudrun-help.txt

@@ -10,8 +10,9 @@ Options:
   --plugins-dir DIRECTORY         Path to directory containing custom plugins
   --static STATIC MOUNT           mountpoint:path-to-directory for serving static files
   --install TEXT                  Additional packages (e.g. plugins) to install
-  --plugin-secret TEXT...   Secrets to pass to plugins, e.g. --plugin-secret datasette-
+  --plugin-secret <TEXT TEXT TEXT>...
-                            auth-github client_id xxx
+                                  Secrets to pass to plugins, e.g. --plugin-secret
+                                  datasette-auth-github client_id xxx
   --version-note TEXT             Additional note to show on /-/versions
   --title TEXT                    Title for metadata
   --license TEXT                  License label for metadata

docs/datasette-publish-heroku-help.txt

@@ -10,8 +10,9 @@ Options:
   --plugins-dir DIRECTORY         Path to directory containing custom plugins
   --static STATIC MOUNT           mountpoint:path-to-directory for serving static files
   --install TEXT                  Additional packages (e.g. plugins) to install
-  --plugin-secret TEXT...   Secrets to pass to plugins, e.g. --plugin-secret datasette-
+  --plugin-secret <TEXT TEXT TEXT>...
-                            auth-github client_id xxx
+                                  Secrets to pass to plugins, e.g. --plugin-secret
+                                  datasette-auth-github client_id xxx
   --version-note TEXT             Additional note to show on /-/versions
   --title TEXT                    Title for metadata
   --license TEXT                  License label for metadata

docs/datasette-publish-nowv1-help.txt

@@ -10,8 +10,9 @@ Options:
   --plugins-dir DIRECTORY         Path to directory containing custom plugins
   --static STATIC MOUNT           mountpoint:path-to-directory for serving static files
   --install TEXT                  Additional packages (e.g. plugins) to install
-  --plugin-secret TEXT...   Secrets to pass to plugins, e.g. --plugin-secret datasette-
+  --plugin-secret <TEXT TEXT TEXT>...
-                            auth-github client_id xxx
+                                  Secrets to pass to plugins, e.g. --plugin-secret
+                                  datasette-auth-github client_id xxx
   --version-note TEXT             Additional note to show on /-/versions
   --title TEXT                    Title for metadata
   --license TEXT                  License label for metadata