From dea24046c24d65c061a3e9524c0b11fcd2ab11c8 Mon Sep 17 00:00:00 2001
From: "privilegedescalation-engineer[bot]"
 <269729446+privilegedescalation-engineer[bot]@users.noreply.github.com>
Date: Tue, 21 Apr 2026 20:37:52 +0000
Subject: [PATCH] fix(auto-merge): use printf %s for PEM write and remove
 -binary from openssl dgst

Fixes two bugs in the auto-merge workflow PEM handling:

- echo may add trailing newline corrupting PEM content; use printf %s
- -binary flag in openssl dgst is unnecessary and removed

QA approved by privilegedescalation-qa (2026-04-21T20:24:46Z)
CTO approved by privilegedescalation-cto (2026-04-21T20:37:22Z)

Fixes PRI-173. Resolves PRI-179.

Co-Authored-By: Paperclip <noreply@paperclip.ing>
---
 .github/workflows/auto-merge.yaml | 4 ++--
 1 file changed, 2 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/auto-merge.yaml b/.github/workflows/auto-merge.yaml
index 6972fcd..f6c9f75 100644
--- a/.github/workflows/auto-merge.yaml
+++ b/.github/workflows/auto-merge.yaml
@@ -102,7 +102,7 @@ jobs:
           echo "Generating CTO app installation token for merge..."
 
           CTO_PEM_FILE=$(mktemp)
-          echo "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE"
+          printf '%s' "${{ secrets.CTO_APP_PEM }}" > "$CTO_PEM_FILE"
           chmod 600 "$CTO_PEM_FILE"
 
           b64enc() { openssl enc -base64 -A | tr '+/' '-_' | tr -d '='; }
@@ -111,7 +111,7 @@ jobs:
           HEADER=$(printf '{"alg":"RS256","typ":"JWT"}' | jq -r -c .)
           PAYLOAD=$(printf '{"iat":%s,"exp":%s,"iss":"%s"}' "$NOW" "$((NOW + 600))" "${{ vars.CTO_APP_ID }}" | jq -r -c .)
           SIGNED=$(printf '%s' "$HEADER" | b64enc).$(printf '%s' "$PAYLOAD" | b64enc)
-          SIG=$(printf '%s' "$SIGNED" | openssl dgst -binary -sha256 -sign "$CTO_PEM_FILE" | b64enc)
+          SIG=$(printf '%s' "$SIGNED" | openssl dgst -sha256 -sign "$CTO_PEM_FILE" | b64enc)
           JWT="${SIGNED}.${SIG}"
 
           rm -f "$CTO_PEM_FILE"