Skip to content

fix(workflows): remove literal dollar-brace-brace from run-block comments (actual root cause) #28

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Merged
cmeans-claude-dev merged 1 commit into from
Apr 20, 2026
Merged

fix(workflows): remove literal dollar-brace-brace from run-block comments (actual root cause) #28

Changes from all commits
Commits
Show all changes
1 commit
Select commit
File filter

Filter by extension

Filter by extension
Conversations
Failed to load comments.
Loading
Jump to
Jump to file
Failed to load files.
Loading
Diff view
Diff view
13 changes: 8 additions & 5 deletions .github/workflows/pr-labels-ci.yml
View file
Open in desktop
Original file line number Diff line number Diff line change
Expand Up @@ -53,9 +53,12 @@ jobs:
run: |
# Read workflow_run fields directly from the event payload on disk.
# $GITHUB_EVENT_PATH is always set on GitHub-hosted runners.
# Going through jq -r avoids the ${{ }} expression surface entirely
# (which previously broke queue-time parsing on workflow_dispatch /
# push validation). jq is pre-installed on ubuntu-latest.
# Going through jq -r avoids the GitHub Actions expression surface
# entirely (which previously broke queue-time parsing on
# workflow_dispatch / push validation because GHA substitutes
# dollar-brace-brace sequences in run blocks *before* the shell
# sees them — including sequences inside shell comments).
# jq is pre-installed on ubuntu-latest.
# Shell-injection safety: jq -r writes raw bytes into a shell
# variable via command substitution, and every subsequent use is
# double-quoted — same guarantee as the prior env: pattern.
Expand All @@ -79,7 +82,7 @@ jobs:

# Fallback: pull_requests array is empty for dependabot PRs.
# Search by head branch instead. HEAD_BRANCH came from jq (above),
# not direct ${{ }} interpolation — fork PR branch names are
# not a direct GHA expression — fork PR branch names are
# contributor-controlled and allow shell metacharacters.
if [ -z "$PR" ]; then
PR=$(gh pr list --repo "$REPO" --head "$HEAD_BRANCH" --state open \
Expand Down Expand Up @@ -138,7 +141,7 @@ jobs:
API_OUT=$(gh api "repos/$REPO/actions/runs/$RUN_ID/pull_requests" \
--jq '.[0].number // empty' 2>&1) && PR="$API_OUT" || true

# HEAD_BRANCH came from jq (above), not direct ${{ }} interpolation
# HEAD_BRANCH came from jq (above), not a direct GHA expression
# fork PR branch names are contributor-controlled.
if [ -z "$PR" ]; then
PR=$(gh pr list --repo "$REPO" --head "$HEAD_BRANCH" --state open \
Expand Down
Loading