feat: implemented token auth

main.go

@@ -11,12 +11,17 @@ import (
 	"net/url"
 	"os"
 	"os/signal"
+	"strconv"
 	"strings"
 	"syscall"
 	"time"
 )
 
 func main() {
+	if maybeHandleGitAskpass() {
+		return
+	}
+
 	slog.SetDefault(slog.New(slog.NewTextHandler(os.Stdout, &slog.HandlerOptions{
 		Level: slog.LevelInfo,
 	})))
@@ -32,8 +37,11 @@ func main() {
 		"zones", cfg.Zones,
 		"repo_path", cfg.RepoPath,
 		"dynamic_dir", cfg.DynamicDir,
+		"git_https_token_enabled", cfg.GitAuthToken != "",
+		"git_auth_username", cfg.GitAuthUsername,
 		"reconcile_interval", cfg.ReconcileInterval,
 		"debounce_delay", cfg.DebounceDelay,
+		"cf_auto_ttl", cfg.CloudflareAutoTTL,
 	)
 
 	ctx, stop := signal.NotifyContext(context.Background(), syscall.SIGTERM, syscall.SIGINT)
@@ -107,6 +115,29 @@ func main() {
 	slog.Info("traefik-dns-watcher stopped")
 }
 
+// maybeHandleGitAskpass serves username/password for git HTTPS auth in non-interactive mode.
+// This process mode is only enabled for git child processes that set TDW_GIT_ASKPASS=1.
+func maybeHandleGitAskpass() bool {
+	enabled, _ := strconv.ParseBool(os.Getenv("TDW_GIT_ASKPASS"))
+	if !enabled {
+		return false
+	}
+
+	prompt := ""
+	if len(os.Args) > 1 {
+		prompt = strings.ToLower(os.Args[1])
+	}
+
+	if strings.Contains(prompt, "username") {
+		fmt.Fprint(os.Stdout, os.Getenv("GIT_AUTH_USERNAME"))
+		return true
+	}
+
+	// For password/token prompts, return token by default.
+	fmt.Fprint(os.Stdout, os.Getenv("GIT_AUTH_TOKEN"))
+	return true
+}
+
 // watchDockerEvents connects to the Docker daemon and forwards container lifecycle
 // events to the trigger function. Reconnects with exponential backoff on failure.
 func watchDockerEvents(ctx context.Context, trigger func()) {