From 9740e9c6fb1f3098e9111c80abe2753163970d58 Mon Sep 17 00:00:00 2001
From: MichaelFisher1997 <contact@michaelfisher.tech>
Date: Sat, 28 Feb 2026 12:46:25 +0000
Subject: [PATCH] fix: strip newlines from SSH_KEY_PUBLIC secret in workflows

Normalize SSH public key secret before writing secrets.auto.tfvars so wrapped/multiline key pastes do not break Terraform parsing.
---
 .gitea/workflows/terraform-apply.yml | 2 +-
 .gitea/workflows/terraform-plan.yml  | 2 +-
 2 files changed, 2 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/terraform-apply.yml b/.gitea/workflows/terraform-apply.yml
index cd3f59c..fa05fc1 100644
--- a/.gitea/workflows/terraform-apply.yml
+++ b/.gitea/workflows/terraform-apply.yml
@@ -23,7 +23,7 @@ jobs:
         run: |
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
-          SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
+          SSH_KEY_PUBLIC      = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
           EOF
           cat > backend.hcl << EOF
           bucket                      = "${{ secrets.B2_TF_BUCKET }}"
diff --git a/.gitea/workflows/terraform-plan.yml b/.gitea/workflows/terraform-plan.yml
index d134347..3bd9459 100644
--- a/.gitea/workflows/terraform-plan.yml
+++ b/.gitea/workflows/terraform-plan.yml
@@ -25,7 +25,7 @@ jobs:
           echo "PM_API_TOKEN_SECRET length: $(echo -n '${{ secrets.PM_API_TOKEN_SECRET }}' | wc -c)"
           cat > secrets.auto.tfvars << EOF
           pm_api_token_secret = "${{ secrets.PM_API_TOKEN_SECRET }}"
-          SSH_KEY_PUBLIC      = "${{ secrets.SSH_KEY_PUBLIC }}"
+          SSH_KEY_PUBLIC      = "$(printf '%s' "${{ secrets.SSH_KEY_PUBLIC }}" | tr -d '\r\n')"
           EOF
           cat > backend.hcl << EOF
           bucket                      = "${{ secrets.B2_TF_BUCKET }}"