ci(triage): escape triaging argument (#9977)

gr2m · web-flow · commit bfa7bed7f4cb · 2025-11-02T15:35:24.000-08:00
diff --git a/.github/workflows/triage.yml b/.github/workflows/triage.yml
@@ -125,9 +125,11 @@ jobs:
             echo "No labels to apply"
           fi
 
-          echo "Reasoning: ${{ fromJSON(steps.classify-issue.outputs.json).reasoning }}"
+          # Use printf with environment variable to safely log reasoning and prevent command injection
+          printf 'Reasoning: %s\n' "$REASONING"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REASONING: ${{ fromJSON(steps.classify-issue.outputs.json).reasoning }}
 
   triage_issue:
     name: Auto-triage Issue
@@ -247,6 +249,8 @@ jobs:
             echo "No labels to apply"
           fi
 
-          echo "Reasoning: ${{ fromJSON(steps.classify-issue.outputs.json).reasoning }}"
+          # Use printf with environment variable to safely log reasoning and prevent command injection
+          printf 'Reasoning: %s\n' "$REASONING"
         env:
           GH_TOKEN: ${{ steps.app-token.outputs.token }}
+          REASONING: ${{ fromJSON(steps.classify-issue.outputs.json).reasoning }}
