From 847c5985123ddead96c5ae61c62acc7e6b92a4bf Mon Sep 17 00:00:00 2001
From: Sudheer Obbu <mail2sudheerobbu@gmail.com>
Date: Wed, 22 Apr 2026 13:52:55 -0400
Subject: [PATCH 1/3] fix(helm): preserve trailing newlines in literal
 decryption to prevent double-escaping commas

Fixes #752

Shell command substitution strips trailing newlines, causing
decrypted_literal to differ from literal when the value ends with \n.
The else branch then incorrectly applies sed comma-escaping.

Fix: use printf sentinel idiom to preserve trailing newlines.

Signed-off-by: Sudheer Obbu <mail2sudheerobbu@gmail.com>
---
 scripts/commands/helm.sh | 14 ++++++++++++--
 1 file changed, 12 insertions(+), 2 deletions(-)

diff --git a/scripts/commands/helm.sh b/scripts/commands/helm.sh
index ea812d91..059297c7 100644
--- a/scripts/commands/helm.sh
+++ b/scripts/commands/helm.sh
@@ -131,11 +131,21 @@ helm_wrapper() {
                     load_secret_backend "${DEFAULT_SECRET_BACKEND}"
                 fi
 
-                if ! decrypted_literal=$(backend_decrypt_literal "${literal}"); then
+                # Preserve trailing newlines: $(...) strips them, so we append a
+                # sentinel character 'x' and remove only the sentinel afterward.
+                # Without this, decrypted_literal differs from literal when the
+                # value ends with \n, causing the else branch to double-escape commas.
+                # See: https://github.com/jkroepke/helm-secrets/issues/752
+                if ! decrypted_literal=$(backend_decrypt_literal "${literal}"; printf x); then
                     fatal 'Unable to decrypt literal value %s' "${literal}"
                 fi
+                decrypted_literal="${decrypted_literal%x}"
 
-                if [ "${decrypted_literal}" = "${literal}" ]; then
+                # Strip a single trailing newline from literal so the comparison
+                # is symmetric regardless of how the encrypted value was stored.
+                literal_stripped="${literal%$'\n'}"
+
+                if [ "${decrypted_literal}" = "${literal_stripped}" ]; then
                     decrypted_literals="${decrypted_literals}${opt_prefix}${decrypted_literal},"
                 else
                     decrypted_literals="${decrypted_literals}${opt_prefix}$(printf '%s' "${decrypted_literal}" | sed -e 's/\\/\\\\/g' | sed -e 's/,/\\,/g'),"

From 367c620684eff2299a1a5eeffe99b7259fa60bd9 Mon Sep 17 00:00:00 2001
From: Sudheer Obbu <sudheer.obbu@gmail.com>
Date: Tue, 28 Apr 2026 00:13:31 +0000
Subject: [PATCH 2/3] fix(lint): use POSIX-compatible newline variable and
 reformat subshell per shfmt

---
 scripts/commands/helm.sh | 10 ++++++++--
 1 file changed, 8 insertions(+), 2 deletions(-)

diff --git a/scripts/commands/helm.sh b/scripts/commands/helm.sh
index 059297c7..a8e7a338 100644
--- a/scripts/commands/helm.sh
+++ b/scripts/commands/helm.sh
@@ -136,14 +136,20 @@ helm_wrapper() {
                 # Without this, decrypted_literal differs from literal when the
                 # value ends with \n, causing the else branch to double-escape commas.
                 # See: https://github.com/jkroepke/helm-secrets/issues/752
-                if ! decrypted_literal=$(backend_decrypt_literal "${literal}"; printf x); then
+                if ! decrypted_literal=$(
+                    backend_decrypt_literal "${literal}"
+                    printf x
+                ); then
                     fatal 'Unable to decrypt literal value %s' "${literal}"
                 fi
                 decrypted_literal="${decrypted_literal%x}"
 
                 # Strip a single trailing newline from literal so the comparison
                 # is symmetric regardless of how the encrypted value was stored.
-                literal_stripped="${literal%$'\n'}"
+                # SC2039/SC3003: $'\n' is not POSIX; use a variable holding a literal newline.
+                _hs_nl='
+'
+                literal_stripped="${literal%"$_hs_nl"}"
 
                 if [ "${decrypted_literal}" = "${literal_stripped}" ]; then
                     decrypted_literals="${decrypted_literals}${opt_prefix}${decrypted_literal},"

From be5fac50fc24cf54340f83117d35765fea9c6d2c Mon Sep 17 00:00:00 2001
From: Sudheer Obbu <sudheer.obbu@gmail.com>
Date: Tue, 28 Apr 2026 12:18:11 +0000
Subject: [PATCH 3/3] fix(lint): preserve exit status through sentinel subshell
 to correctly propagate decryption errors

---
 scripts/commands/helm.sh | 2 ++
 1 file changed, 2 insertions(+)

diff --git a/scripts/commands/helm.sh b/scripts/commands/helm.sh
index a8e7a338..eed4718d 100644
--- a/scripts/commands/helm.sh
+++ b/scripts/commands/helm.sh
@@ -138,7 +138,9 @@ helm_wrapper() {
                 # See: https://github.com/jkroepke/helm-secrets/issues/752
                 if ! decrypted_literal=$(
                     backend_decrypt_literal "${literal}"
+                    _hs_ret=$?
                     printf x
+                    exit "${_hs_ret}"
                 ); then
                     fatal 'Unable to decrypt literal value %s' "${literal}"
                 fi