From 03cda08a33bbf3081bc32b8823fe06747a037cb4 Mon Sep 17 00:00:00 2001
From: Shaun Arman <shaun.arman@motorolasolutions.com>
Date: Sun, 31 May 2026 15:12:46 -0500
Subject: [PATCH] fix(ci): fix grep invalid range and printf invalid option in
 pr-review

1. SECRET_PATTERN had [A-Za-z0-9+/_\-!@#] -- backslash-escaped hyphen
   is invalid POSIX ERE; grep parsed it as a range with invalid bounds.
   Fix: move hyphen to end of class: [A-Za-z0-9+/_!@#-].

2. printf -- '---\n' fails with 'invalid option' in bash because the
   builtin does not accept -- as end-of-options. Removed -- from all
   four printf calls.
---
 .gitea/workflows/pr-review.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/.gitea/workflows/pr-review.yml b/.gitea/workflows/pr-review.yml
index 4b4689dd..824edcdc 100644
--- a/.gitea/workflows/pr-review.yml
+++ b/.gitea/workflows/pr-review.yml
@@ -59,7 +59,7 @@ jobs:
           # Secret scrubbing: match actual credential VALUES only — known API key formats,
           # or keyword="long_quoted_literal" (25+ chars). Never scrub on keyword alone,
           # which would silently delete function signatures, variable declarations, and tests.
-          SECRET_PATTERN='AKIA[A-Z0-9]{16}|gh[opsu]_[A-Za-z0-9_]{36,}|xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}|(password|token|api_key|secret)[[:space:]]*=[[:space:]]*["'"'"'][A-Za-z0-9+/_\-!@#]{25,}["'"'"']'
+          SECRET_PATTERN='AKIA[A-Z0-9]{16}|gh[opsu]_[A-Za-z0-9_]{36,}|xox[baprs]-[0-9]{10,13}-[0-9]{10,13}-[a-zA-Z0-9]{24}|(password|token|api_key|secret)[[:space:]]*=[[:space:]]*["'"'"'][A-Za-z0-9+/_!@#-]{25,}["'"'"']'
           # Only strip lines that are ENTIRELY a long base64 blob (e.g. PEM cert bodies)
           B64_PATTERN='^[[:space:]]*[A-Za-z0-9+/]{60,}={0,2}[[:space:]]*$'
 
@@ -156,13 +156,13 @@ jobs:
             printf 'You are a senior engineer performing a code review.\n\n'
             printf 'PR Title: %s\n' "$PR_TITLE"
             printf 'Files changed: %s\n\n' "$CHANGED_FILES"
-            printf -- '---\n'
+            printf '---\n'
             cat /tmp/codebase_index.txt
             printf -- '---\n\n'
             printf '## Changed file contents\n\n'
             printf 'Each section is the COMPLETE, FINAL file after PR changes (not a diff).\n'
             printf 'Files over 500 lines show only changed sections with surrounding context.\n\n'
-            printf -- '---\n'
+            printf '---\n'
             cat /tmp/pr_context.txt
             printf -- '---\n\n'
             printf '## Instructions\n\n'