From f86ad33a0ac6bf1ae3925b18c0e5d73945184e06 Mon Sep 17 00:00:00 2001
From: anish k <ak8686@princeton.edu>
Date: Thu, 30 Apr 2026 08:42:04 +0000
Subject: [PATCH] ci: fix expression injection in slack-issue-notification
 workflow

## Problem

Signed-off-by: anish k <ak8686@princeton.edu>
---
 .../workflows/slack-issue-notification.yml    | 54 ++++++++++++-------
 1 file changed, 35 insertions(+), 19 deletions(-)

diff --git a/.github/workflows/slack-issue-notification.yml b/.github/workflows/slack-issue-notification.yml
index 675dd939..e079a15e 100644
--- a/.github/workflows/slack-issue-notification.yml
+++ b/.github/workflows/slack-issue-notification.yml
@@ -8,29 +8,45 @@ jobs:
   notify:
     runs-on: ubuntu-latest
     steps:
-      - name: Post to Slack
-        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # 2.1.1
-        with:
-          method: chat.postMessage
-          token: ${{ secrets.SLACK_BOT_TOKEN }}
-          payload: |
-            {
-              "channel": "C09HY5E0K60",
-              "text": "New issue opened in ${{ github.repository }}",
-              "blocks": [
+      - name: Build Slack payload
+        id: build_payload
+        env:
+          ISSUE_TITLE: ${{ github.event.issue.title }}
+          ISSUE_URL: ${{ github.event.issue.html_url }}
+          ISSUE_NUMBER: ${{ github.event.issue.number }}
+          ISSUE_AUTHOR: ${{ github.event.issue.user.login }}
+          REPO: ${{ github.repository }}
+        run: |
+          payload=$(jq -n \
+            --arg title "$ISSUE_TITLE" \
+            --arg url "$ISSUE_URL" \
+            --arg number "$ISSUE_NUMBER" \
+            --arg author "$ISSUE_AUTHOR" \
+            --arg repo "$REPO" \
+            '{
+              channel: "C09HY5E0K60",
+              text: "New issue opened in \($repo)",
+              blocks: [
                 {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*New Issue:* <${{ github.event.issue.html_url }}|#${{ github.event.issue.number }} ${{ github.event.issue.title }}>"
+                  type: "section",
+                  text: {
+                    type: "mrkdwn",
+                    text: "*New Issue:* <\($url)|#\($number) \($title)>"
                   }
                 },
                 {
-                  "type": "section",
-                  "text": {
-                    "type": "mrkdwn",
-                    "text": "*Author:* ${{ github.event.issue.user.login }}"
+                  type: "section",
+                  text: {
+                    type: "mrkdwn",
+                    text: "*Author:* \($author)"
                   }
                 }
               ]
-            }
+            }')
+          echo "payload=$payload" >> "$GITHUB_OUTPUT"
+      - name: Post to Slack
+        uses: slackapi/slack-github-action@91efab103c0de0a537f72a35f6b8cda0ee76bf0a # 2.1.1
+        with:
+          method: chat.postMessage
+          token: ${{ secrets.SLACK_BOT_TOKEN }}
+          payload: ${{ steps.build_payload.outputs.payload }}