github · pelikhan · Mar 15, 2026 · Mar 15, 2026 · Mar 15, 2026
diff --git a/.github/workflows/smoke-update-cross-repo-pr.lock.yml b/.github/workflows/smoke-update-cross-repo-pr.lock.yml
diff --git a/pkg/workflow/checkout_manager.go b/pkg/workflow/checkout_manager.go
@@ -684,7 +684,7 @@ func generateFetchStepLines(entry *resolvedCheckout, index int) string {
 	sb.WriteString("        env:\n")
 	fmt.Fprintf(&sb, "          GH_AW_FETCH_TOKEN: %s\n", token)
 	sb.WriteString("        run: |\n")
-	sb.WriteString("          header=$(printf \"x-access-token:%s\" \"${GH_AW_FETCH_TOKEN}\" | base64)\n")
+	sb.WriteString("          header=$(printf \"x-access-token:%s\" \"${GH_AW_FETCH_TOKEN}\" | base64 -w 0)\n")
 	fmt.Fprintf(&sb, `          %s -c "http.extraheader=Authorization: Basic ${header}" fetch origin %s`+"\n",
 		gitPrefix, strings.Join(refspecs, " "))
 	return sb.String()

diff --git a/pkg/workflow/checkout_manager_test.go b/pkg/workflow/checkout_manager_test.go
@@ -714,6 +714,8 @@ func TestGenerateFetchStep(t *testing.T) {
 		assert.Contains(t, got, "http.extraheader=Authorization:", "should configure credentials via http.extraheader")
 		// When no custom token set, falls back to the effective GitHub token chain
 		assert.Contains(t, got, "GH_AW_GITHUB_TOKEN", "should fall back to GH_AW token chain when no checkout token set")
+		// base64 must use -w 0 to prevent line wrapping with long tokens (e.g. fine-grained PATs)
+		assert.Contains(t, got, "base64 -w 0", "should use base64 -w 0 to disable line wrapping")
 	})
 
 	t.Run("fetch refs/pulls/open/* uses PR refspec", func(t *testing.T) {