From 81d9f083684b300e8679032e8ed81c07ac90553f Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 15 Mar 2026 12:40:55 +0000
Subject: [PATCH 1/2] Initial plan


From b7e9b81310af495e2aa6670a8e647c5aa7bbb401 Mon Sep 17 00:00:00 2001
From: "copilot-swe-agent[bot]" <198982749+Copilot@users.noreply.github.com>
Date: Sun, 15 Mar 2026 12:56:18 +0000
Subject: [PATCH 2/2] fix: add -w 0 flag to base64 in checkout fetch step to
 prevent line wrapping with long PATs

Co-authored-by: pelikhan <4175913+pelikhan@users.noreply.github.com>
---
 .github/workflows/smoke-update-cross-repo-pr.lock.yml | 2 +-
 pkg/workflow/checkout_manager.go                      | 2 +-
 pkg/workflow/checkout_manager_test.go                 | 2 ++
 3 files changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml
index 4b0892d387..e34b13eb36 100644
--- a/.github/workflows/smoke-update-cross-repo-pr.lock.yml
+++ b/.github/workflows/smoke-update-cross-repo-pr.lock.yml
@@ -338,7 +338,7 @@ jobs:
         env:
           GH_AW_FETCH_TOKEN: ${{ secrets.GH_AW_SIDE_REPO_PAT }}
         run: |
-          header=$(printf "x-access-token:%s" "${GH_AW_FETCH_TOKEN}" | base64)
+          header=$(printf "x-access-token:%s" "${GH_AW_FETCH_TOKEN}" | base64 -w 0)
           git -c "http.extraheader=Authorization: Basic ${header}" fetch origin '+refs/heads/main:refs/remotes/origin/main' '+refs/pull/*/head:refs/remotes/origin/pull/*/head'
       - name: Create gh-aw temp directory
         run: bash /opt/gh-aw/actions/create_gh_aw_tmp_dir.sh
diff --git a/pkg/workflow/checkout_manager.go b/pkg/workflow/checkout_manager.go
index 15fa735680..cf0ee97562 100644
--- a/pkg/workflow/checkout_manager.go
+++ b/pkg/workflow/checkout_manager.go
@@ -684,7 +684,7 @@ func generateFetchStepLines(entry *resolvedCheckout, index int) string {
 	sb.WriteString("        env:\n")
 	fmt.Fprintf(&sb, "          GH_AW_FETCH_TOKEN: %s\n", token)
 	sb.WriteString("        run: |\n")
-	sb.WriteString("          header=$(printf \"x-access-token:%s\" \"${GH_AW_FETCH_TOKEN}\" | base64)\n")
+	sb.WriteString("          header=$(printf \"x-access-token:%s\" \"${GH_AW_FETCH_TOKEN}\" | base64 -w 0)\n")
 	fmt.Fprintf(&sb, `          %s -c "http.extraheader=Authorization: Basic ${header}" fetch origin %s`+"\n",
 		gitPrefix, strings.Join(refspecs, " "))
 	return sb.String()
diff --git a/pkg/workflow/checkout_manager_test.go b/pkg/workflow/checkout_manager_test.go
index 2eeaa985f0..ae5f47e792 100644
--- a/pkg/workflow/checkout_manager_test.go
+++ b/pkg/workflow/checkout_manager_test.go
@@ -714,6 +714,8 @@ func TestGenerateFetchStep(t *testing.T) {
 		assert.Contains(t, got, "http.extraheader=Authorization:", "should configure credentials via http.extraheader")
 		// When no custom token set, falls back to the effective GitHub token chain
 		assert.Contains(t, got, "GH_AW_GITHUB_TOKEN", "should fall back to GH_AW token chain when no checkout token set")
+		// base64 must use -w 0 to prevent line wrapping with long tokens (e.g. fine-grained PATs)
+		assert.Contains(t, got, "base64 -w 0", "should use base64 -w 0 to disable line wrapping")
 	})
 
 	t.Run("fetch refs/pulls/open/* uses PR refspec", func(t *testing.T) {