From 0cb6a4f52459cb3e9508d0bffbc14b3d99ba3286 Mon Sep 17 00:00:00 2001
From: rob thijssen <grenade@rob.tn>
Date: Sun, 26 Apr 2026 14:25:57 +0300
Subject: [PATCH] fix(ci): use heredoc for rpmmacros to avoid shell escaping
 issues

The echo-based approach was mangling rpm macro tokens like
%{__plaintext_filename}. Switch to a heredoc so the content is
written verbatim.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
---
 .gitea/workflows/build-release.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.gitea/workflows/build-release.yml b/.gitea/workflows/build-release.yml
index 31d14da..04e076f 100644
--- a/.gitea/workflows/build-release.yml
+++ b/.gitea/workflows/build-release.yml
@@ -128,8 +128,10 @@ jobs:
       - name: Import signing key
         run: |
           echo "${{ secrets.RPM_SIGNING_KEY }}" | gpg --batch --import
-          echo "%_gpg_name ${{ secrets.RPM_SIGNING_KEY_ID }}" > ~/.rpmmacros
-          echo "%__gpg_sign_cmd %{__gpg} --batch --no-armor --no-tty --pinentry-mode loopback --passphrase '' %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u \"%{_gpg_name}\" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}" >> ~/.rpmmacros
+          cat > ~/.rpmmacros << 'RPMMACROS'
+%_gpg_name ${{ secrets.RPM_SIGNING_KEY_ID }}
+%__gpg_sign_cmd %{__gpg} --batch --no-armor --no-tty --pinentry-mode loopback --passphrase '' %{?_gpg_digest_algo:--digest-algo %{_gpg_digest_algo}} --no-secmem-warning -u "%{_gpg_name}" -sbo %{__signature_filename} --digest-algo sha256 %{__plaintext_filename}
+RPMMACROS
 
       - name: Sign and publish
         run: ./script/publish-repo.sh rpms/