fix(review): randomize heredoc delimiter to prevent output injection

zfarrell · zfarrell · commit c8ed1103fe7d · 2026-04-12T10:46:33.000-07:00
diff --git a/.github/workflows/claude-pr-review.yml b/.github/workflows/claude-pr-review.yml
@@ -75,10 +75,11 @@ jobs:
             end
           ')
 
+          DELIMITER="REVIEW_CONTEXT_$(openssl rand -hex 16)"
           {
-            echo "threads<<REVIEW_CONTEXT_HEREDOC"
+            echo "threads<<${DELIMITER}"
             echo "$THREADS"
-            echo "REVIEW_CONTEXT_HEREDOC"
+            echo "${DELIMITER}"
           } >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ github.token }}
