[code-scanning-fix] Fix go/unsafe-quoting: Remove unused environment variable with unsafe JSON embedding #11424

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Closed

+0 −14

pkg/workflow/update_project_job.go

-Original file line number
+Diff line change
@@ -1,7 +1,6 @@
     package workflow
     import (
-    	"encoding/json"
     	"fmt"
     )
@@ Expand Down Expand Up @@
     	// The JavaScript code checks process.env.GH_AW_PROJECT_GITHUB_TOKEN to provide helpful error messages
     	customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_GITHUB_TOKEN: %s\n", effectiveToken))
-    	// If views are configured in frontmatter, pass them to the JavaScript via environment variable
-    	if data.SafeOutputs.UpdateProjects != nil && len(data.SafeOutputs.UpdateProjects.Views) > 0 {
-    		viewsJSON, err := json.Marshal(data.SafeOutputs.UpdateProjects.Views)
-    		if err != nil {
-    			return nil, fmt.Errorf("failed to marshal views configuration: %w", err)
-    		}
-    		// lgtm[go/unsafe-quoting] - This generates YAML environment variable declarations, not shell commands.
-    		// The %q format specifier properly escapes the JSON string for YAML syntax. There is no shell injection
-    		// risk because this value is set as an environment variable in the GitHub Actions YAML configuration,
-    		// not executed as shell code.
-    		customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON)))
-    	}
     	jobCondition := BuildSafeOutputType("update_project")
     	permissions := NewPermissionsContentsReadProjectsWrite()
@@ Expand Down @@

Provide feedback