Properly handle command failures

dist/scripts/src/fetch-secrets.sh

@@ -2,6 +2,16 @@
 
 set -euo pipefail
 
+dc_infisical() {
+    # If stdout is a real terminal, allocate TTY
+    if [ -t 1 ]; then
+        docker compose run --rm -t cli infisical "$@"
+        return
+    fi
+
+    docker compose run --rm cli infisical "$@"
+}
+
 fetch_secret() {
     local target_secret="${1:?Target secret local_secret is required}"
     local env="${2:?Environment is required}"
@@ -11,9 +21,10 @@ fetch_secret() {
         # If infisical CLI command is available, use it directly
         infisical-dcli secrets --plain get "${target_secret}" --env "${env}" >"${output_file}"
     else
-        script -q /dev/null \
-            -c "docker compose run --rm -t cli infisical secrets --plain get ""${target_secret}"" --env ""${env}""" \
-            >"${output_file}"
+        if ! dc_infisical secrets --plain get "${target_secret}" --env "${env}" >"${output_file}"; then
+            rm -f "${output_file}" # Clean up if fetch failed
+            return 1
+        fi
     fi
 
     # Check if file is empty