diff --git a/.github/workflows/automerge.yaml b/.github/workflows/automerge.yaml
index 6f5a423c80..399a1d6a9a 100644
--- a/.github/workflows/automerge.yaml
+++ b/.github/workflows/automerge.yaml
@@ -1,4 +1,5 @@
 name: Automerge PR
+
 on:
   pull_request_target:
     paths:
@@ -7,12 +8,13 @@ on:
 jobs:
   check:
     runs-on: ubuntu-latest
+
     steps:
       - name: Checkout PR
         uses: actions/checkout@v2
         with:
-          ref: ${{github.event.pull_request.head.ref}}
-          repository: ${{github.event.pull_request.head.repo.full_name}}
+          ref: ${{ github.event.pull_request.head.ref }}
+          repository: ${{ github.event.pull_request.head.repo.full_name }}
           fetch-depth: 0
 
       - name: Fetch main repo
@@ -22,30 +24,42 @@ jobs:
 
       - name: Make sure there's only one TLD affected
         run: |
-          TLD_FILE=$(git diff --name-only upstream/main)
-          [[ $TLD_FILE == zones/cluster.ws.yaml ]] || [[ $TLD_FILE == zones/wip.la.yaml ]]
+          TLD_FILE="$(git diff --name-only upstream/main)"
+          if [[ "$TLD_FILE" != "zones/cluster.ws.yaml" && "$TLD_FILE" != "zones/wip.la.yaml" ]]; then
+            echo "Automerge skipped: more than one or invalid TLD file affected"
+            echo "$TLD_FILE"
+            exit 0
+          fi
 
       - name: Make sure that only one line was affected
         run: |
-          TLD_FILE=$(git diff --name-only upstream/main)
-          DIFF_LOG=$(diff <(git show upstream/main:$TLD_FILE) $TLD_FILE | grep ^[[:digit:]])
-          [[ $(echo $DIFF_LOG | wc -l) == 1 ]]
-          [[ $DIFF_LOG =~ ^[0-9]+a[0-9]+$ ]]
+          TLD_FILE="$(git diff --name-only upstream/main)"
+
+          # Get diff summary safely (ignore grep failure)
+          DIFF_LOG="$(diff <(git show upstream/main:$TLD_FILE) "$TLD_FILE" | grep '^[[:digit:]]' || true)"
+
+          # Sanitize CRLF
+          DIFF_LOG="$(printf '%s\n' "$DIFF_LOG" | tr -d '\r')"
+
+          # Count lines safely
+          LINE_COUNT="$(printf '%s\n' "$DIFF_LOG" | wc -l | tr -d '[:space:]')"
+
+          if [[ "$LINE_COUNT" -eq 1 ]] && [[ "$DIFF_LOG" =~ ^[0-9]+a[0-9]+$ ]]; then
+            echo "Single-line add detected: $DIFF_LOG"
+          else
+            echo "Automerge skipped: unexpected diff"
+            echo "Line count: $LINE_COUNT"
+            echo "$DIFF_LOG"
+            exit 0
+          fi
 
       - name: Make sure zone file is valid
         run: |
-          TLD_FILE=$(git diff --name-only upstream/main)
-          npx ajv-cli validate -s dns.schema.json -d $TLD_FILE
-
-      # - name: If a domain was modified, make sure it is done by the owner
-      #   run: |
-      #     TLD_FILE=$(git diff --name-only upstream/main)
-      #     DIFF_LOG=$(diff <(git show upstream/main:$TLD_FILE) $TLD_FILE | grep ^[[:digit:]])
-      #     CHANGED_LINES=${DIFF_LOG#[0-9]*c},${DIFF_LOG#[0-9]*c}
-      #     [[ ${DIFF_LOG#[0-9]*a} == $(expr ${DIFF_LOG%a[0-9]*} + 1) ]] || [[ $(git blame -te -L$CHANGED_LINES upstream/main -- $TLD_FILE | awk '{print substr($2,2)}') == $(git blame --line-porcelain -L$CHANGED_LINES -- $TLD_FILE | grep -E '^(committer-mail)' | awk '{print $2}') ]]
+          TLD_FILE="$(git diff --name-only upstream/main)"
+          npx ajv-cli validate -s dns.schema.json -d "$TLD_FILE"
 
       - name: Auto-merge
-        uses: "pascalgn/automerge-action@v0.14.2"
+        uses: pascalgn/automerge-action@v0.14.2
         env:
           GITHUB_TOKEN: "${{ secrets.GITHUB_TOKEN }}"
           MERGE_METHOD: "squash"