chore(docker): openemr-cmd up prompt for gh token

[stephenwaite]

Fixes #

Short description of what this resolves:

walks a dev thru getting their own personal access token

in tandem with openemr/openemr#11386

claude helped with bash stuff

Changes proposed in this pull request:

[Copilot]

Pull request overview

This PR adds an interactive flow in openemr-cmd to help developers set a GitHub Personal Access Token for Composer (to avoid GitHub API rate limiting) and simplifies the flex container startup script to only consume the raw GITHUB_COMPOSER_TOKEN.

Changes:

• Add setup-composer-env (sce) command to create/update a .env file containing GITHUB_COMPOSER_TOKEN, and auto-run it from openemr-cmd up when missing/invalid.
• Add a GitHub rate-limit check during openemr-cmd up to decide whether to re-run token setup.
• Remove encoded-token fallback logic in docker/openemr/flex/openemr.sh, leaving only GITHUB_COMPOSER_TOKEN.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
utilities/openemr-cmd/openemr-cmd	Adds token setup command and hooks it into up, including a GitHub API check.
docker/openemr/flex/openemr.sh	Simplifies composer token handling to only try GITHUB_COMPOSER_TOKEN.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The setup text says it will write “derived encoded variants” of the token, but this function only writes GITHUB_COMPOSER_TOKEN. Either remove that wording or actually write the encoded variants (if they’re still needed elsewhere).

Suggested change

	echo "This writes GITHUB_COMPOSER_TOKEN plus its derived encoded variants to: ${ENV_FILE}"
	echo "This writes GITHUB_COMPOSER_TOKEN to: ${ENV_FILE}"

[Copilot]

The prompt reads the PAT with normal read, which echoes the token to the terminal and stores it in scrollback/history for many shells. Use silent input (eg, read -s) and consider disabling readline (-e) for secret entry.

Suggested change

	read -r -e -p "Paste your GitHub Personal Access Token: " TOKEN </dev/tty
	read -r -s -p "Paste your GitHub Personal Access Token: " TOKEN </dev/tty
	echo ""

[Copilot]

This message claims the root .gitignore covers .env, but the repo’s .gitignore currently does not ignore .env. Since this command creates/updates ../../.env with a PAT, this is a real risk of accidentally committing credentials. Either update the repo ignore rules / use a file that’s already ignored, or change the guidance and default path.

Suggested change

	echo " (.env is covered by the root .gitignore)"
	echo " WARNING: ${ENV_FILE} is not ignored by git by default. Add it to .gitignore to avoid committing credentials."

[stephenwaite]

added .env to the .gitignore here in this repo even though it applies when running in openemr

[Copilot]

With set -euo pipefail, this command substitution will cause openemr-cmd up to exit immediately if curl fails (offline), GitHub is unreachable, or grep finds no match. Wrap the curl/parse pipeline in || true (or temporarily disable errexit) and handle an empty/failed response explicitly so up still proceeds or falls back to setup_composer_env. Also note the PAT is passed on the curl command line (visible via process listings); consider avoiding this validity check or using a safer mechanism.

Suggested change

	https://api.github.com/rate_limit | grep -o '"remaining":[0-9]*' | head -1 | cut -d: -f2)
	https://api.github.com/rate_limit | grep -o '"remaining":[0-9]*' | head -1 | cut -d: -f2 || true)

[bradymiller]

can't this also be other directories? (insane one, predis one)

[bradymiller]

neat stuff!

[bradymiller]

prob makes sense to get the worktree stuff in the code first since this mechanism may result in some minor modificaitons to work with that feature in place.