OpsGuild · Hordunlarmy · Jan 29, 2026 · Jan 29, 2026
diff --git a/README.md b/README.md
@@ -70,7 +70,7 @@ metaldeploy --host 1.2.3.4 --user root --ssh-key ~/.ssh/id_rsa --type docker
     ssh_key: ${{ secrets.SSH_PRIVATE_KEY }}
     environment: prod
     # Pass all secrets in one go (Zero-Config)
-    env_blob: ${{ toJSON(secrets) }}
+    # environment: prod
 ```
 
 ### Advanced Example with Docker
@@ -105,9 +105,7 @@ Copy specific files or directories (like `node_modules` or `dist/`) to the serve
 
 ### Secure Secret Management
 
-MetalDeploy is designed for Zero-Config secret management. Use the **`env_blob`** input to pass all repository secrets without mapping them manually.
-
-- **Bulk Injection**: Use `env_blob: ${{ toJSON(secrets) }}` to securely tunnel all secrets starting with `ENV_` to your server.
+- **Bulk Injection**: Use `ENV` to securely tunnel your raw variable block to your server.
 - **Manual Overrides**: Use the standard GitHub Action **`env:`** block to override secrets for specific steps.
 
 ```yaml
@@ -116,9 +114,7 @@ MetalDeploy is designed for Zero-Config secret management. Use the **`env_blob`*
   env:
     ENV_APP_PORT: 3000 # This wins over repository secrets
   with:
-    env_blob: ${{ toJSON(secrets) }}
     env_files_generate: true
-    ...
 ```
 
 ### Multi-Server Deployment

diff --git a/action.yml b/action.yml
@@ -102,9 +102,6 @@ inputs:
   copy_artifacts:
     description: 'Comma-separated list of build artifacts to copy to the server (local_path:remote_path). Paths are relative to git_dir unless absolute.'
     required: false
-  env_blob:
-    description: 'A block of environment variables in KEY=VALUE format (e.g., from a secret) to be included in .env files without prefixes.'
-    required: false
 outputs:
   deployment_status:
     description: 'Deployment status (success/failed)'
@@ -204,5 +201,4 @@ runs:
         ENV_FILES_CREATE_ROOT: ${{ inputs.env_files_create_root }}
         ENV_FILES_FORMAT: ${{ inputs.env_files_format }}
         COPY_ARTIFACTS: ${{ inputs.copy_artifacts }}
-        ENV_BLOB: ${{ inputs.env_blob }}
         GITHUB_WORKSPACE: ${{ github.workspace }}
diff --git a/changelogs/2026-01-29_19-11-03.md b/changelogs/2026-01-29_19-11-03.md
@@ -3,4 +3,4 @@
 ## [Unreleased]
 
 ### Changed
-- Enhanced environment variable parsing for `env` format secrets. The parser now robustly handles multi-line values, correctly ignores comment lines, and accurately strips leading/trailing quotes from string values, improving reliability when processing complex environment variable strings.
+- Enhanced environment variable parsing for `env` format secrets. The parser now robustly handles multi-line values, correctly ignores comment lines, and accurately strips leading/trailing quotes from string values, improving reliability when processing complex environment variable strings.
diff --git a/changelogs/2026-01-29_19-47-44.md b/changelogs/2026-01-29_19-47-44.md
@@ -0,0 +1,16 @@
+# Changelog
+
+## [Unreleased]
+
+### Added
+- Introduced a new intelligent merging mechanism for environment files, allowing the `ENV` secret to serve as a raw template. This preserves comments, blank lines, and custom formatting in your `.env` files while seamlessly merging new or overridden variables.
+
+### Changed
+- **Environment Variable Handling Refined**:
+    - The core logic for generating `.env` files has been significantly refactored to prioritize the new raw template merging capabilities.
+    - The `parse_all_in_one_secret` function now includes a `strip_quotes` parameter, providing more granular control over how environment variable values are processed.
+- **Improved Security**: Environment files generated on the remote server are now created with more restrictive `0o600` permissions, enhancing secret protection.
+- **Documentation Updates**: The `README.md` and `docs/env-generation.md` have been updated to reflect the new environment variable management approach and the removal of the `env_blob` input.
+
+### Removed
+- The `env_blob` input from `action.yml` has been removed. Its functionality is now superseded by the enhanced capabilities of the `ENV` secret for passing raw environment variable blocks and templating.
diff --git a/changelogs/2026-01-29_19-48-25.md b/changelogs/2026-01-29_19-48-25.md
@@ -0,0 +1,11 @@
+# Changelog
+
+## [Unreleased]
+
+### Changed
+- **Enhanced Environment File Templating**: The `ENV` secret can now be used as a base template for generated `.env` files. This allows for more structured and human-readable configurations by intelligently merging new or overriding environment variables while preserving existing comments, blank lines, and custom formatting within the template.
+- **Stricter File Permissions**: Generated environment files (e.g., `.env`, `.env.app`) are now created with more restrictive `0o600` permissions (read/write only for the file owner), enhancing security by limiting access.
+- **Refined Secret Parsing**: Further internal refinements to the environment variable parsing logic improve robustness when handling various formats and merging into base templates, ensuring more reliable processing of complex environment variable strings.
+
+### Removed
+- The `env_blob` input and its associated functionality for bulk secret injection have been removed. Users should now leverage the `ENV` secret for providing raw blocks of variables that serve as a base template for generated environment files.