From 91646fbe1d71700abc51e7434ceb0b1cef72071b Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Jun 2026 15:41:10 +0000
Subject: [PATCH 1/3] Initial plan


From 7e2372b7c5f2acd1a07c14737ed285b3f08e51ce Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Jun 2026 15:44:32 +0000
Subject: [PATCH 2/3] Fix GPG key import fallback in release workflow

---
 .github/workflows/release.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e696a0f..e5da234 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -41,10 +41,14 @@ jobs:
           key_file="$(mktemp)"
           trap 'rm -f "${key_file}"' EXIT
 
-          if [[ "${GPG_PRIVATE_KEY}" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
-            printf '%s' "${GPG_PRIVATE_KEY}" | sed 's/\\n/\n/g' > "${key_file}"
+          normalized_key="$(printf '%s' "${GPG_PRIVATE_KEY}" | sed 's/\\n/\n/g')"
+
+          if [[ "${normalized_key}" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
+            printf '%s' "${normalized_key}" > "${key_file}"
+          elif printf '%s' "${GPG_PRIVATE_KEY}" | tr -d '\r\n' | base64 --decode > "${key_file}" 2>/dev/null; then
+            :
           else
-            printf '%s' "${GPG_PRIVATE_KEY}" | base64 --decode > "${key_file}"
+            printf '%s' "${normalized_key}" > "${key_file}"
           fi
 
           gpg --batch --import "${key_file}"

From 81819b4c11e103b6e950ce9ea803e39b2c07c339 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Thu, 18 Jun 2026 15:47:53 +0000
Subject: [PATCH 3/3] Harden release workflow GPG key import

---
 .github/workflows/release.yml | 7 ++++---
 1 file changed, 4 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index e5da234..ac1ebd9 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -45,10 +45,11 @@ jobs:
 
           if [[ "${normalized_key}" == *"-----BEGIN PGP PRIVATE KEY BLOCK-----"* ]]; then
             printf '%s' "${normalized_key}" > "${key_file}"
-          elif printf '%s' "${GPG_PRIVATE_KEY}" | tr -d '\r\n' | base64 --decode > "${key_file}" 2>/dev/null; then
-            :
           else
-            printf '%s' "${normalized_key}" > "${key_file}"
+            if ! printf '%s' "${normalized_key}" | base64 --decode > "${key_file}" 2>/dev/null; then
+              echo "::notice::GPG_PRIVATE_KEY is not valid base64-encoded. Using raw key format. If import fails, verify the secret contains a valid PGP private key block (armored format)."
+              printf '%s' "${normalized_key}" > "${key_file}"
+            fi
           fi
 
           gpg --batch --import "${key_file}"