From aa38a870e916742cae03eaae850d5a3b892ca60e Mon Sep 17 00:00:00 2001 From: Hugh Hackman Date: Tue, 21 Apr 2026 19:42:05 +0000 Subject: [PATCH] fix: use printf %s for PEM write and remove -binary from openssl dgst QA feedback from Regina on PR #106: - echo may add trailing newline, corrupting PEM content; use printf %s - -binary flag in openssl dgst is unnecessary and removed Co-Authored-By: Paperclip --- .github/workflows/auto-merge.yaml | 4 ++-- 1 file changed, 2 insertions(+), 2 deletions(-) diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml index 6972fcd..f6c9f75 100644 --- a/.github/workflows/auto-merge.yaml +++ b/.github/workflows/auto-merge.yaml @@ -102,7 +102,7 @@ jobs: echo "Generating CTO app installation token for merge..." CTO_PEM_FILE=$(mktemp) - echo "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE" + printf '%s' "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE" chmod 600 "$CTO_PEM_FILE" b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; } @@ -111,7 +111,7 @@ jobs: HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | jq -r -c .) PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "${{ vars.CTO_APP_ID }}" | jq -r -c .) SIGNED=$(printf '%s' "$HEADER" | b64enc).$(printf '%s' "$PAYLOAD" | b64enc) - SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "$CTO_PEM_FILE" | b64enc) + SIG=$(printf '%s' "$SIGNED" | openssl dgst -sha256 -sign "$CTO_PEM_FILE" | b64enc) JWT="${SIGNED}.${SIG}" rm -f "$CTO_PEM_FILE"