1- require('./sourcemap-register.js'); /******/ (() => { // webpackBootstrap
1+ /******/ (() => { // webpackBootstrap
22/******/ var __webpack_modules__ = ({
33
44/***/ 4914:
@@ -30056,20 +30056,23 @@ async function runCopilot(copilotPath, prompt, model) {
3005630056 }
3005730057 }, 10_000);
3005830058 }, COPILOT_TIMEOUT_MS);
30059- // Sanitize output to prevent workflow command injection (lines starting with ::)
30060- const sanitize = (chunk) => chunk.replace(/^::/gm, ' ::');
30059+ // Sanitize complete output to prevent workflow command injection (lines starting with ::)
30060+ // We sanitize the full accumulated string rather than per-chunk to avoid
30061+ // chunk boundaries splitting a '::' sequence across two chunks.
30062+ const sanitize = (text) => text.replace(/^::/gm, ' ::');
3006130063 cp.stdout.on('data', (data) => {
30062- const chunk = data.toString();
30063- stdout += chunk;
30064- process.stdout.write(sanitize(chunk));
30064+ stdout += data.toString();
3006530065 });
3006630066 cp.stderr.on('data', (data) => {
30067- const chunk = data.toString();
30068- stderr += chunk;
30069- process.stderr.write(sanitize(chunk));
30067+ stderr += data.toString();
3007030068 });
3007130069 cp.on('close', (code) => {
3007230070 clearTimeout(timeoutId);
30071+ // Write sanitized output now that we have complete strings
30072+ if (stdout)
30073+ process.stdout.write(sanitize(stdout));
30074+ if (stderr)
30075+ process.stderr.write(sanitize(stderr));
3007330076 if (killTimerId)
3007430077 clearTimeout(killTimerId);
3007530078 if (killed) {
@@ -30321,6 +30324,7 @@ var __importStar = (this && this.__importStar) || (function () {
3032130324Object.defineProperty(exports, "__esModule", ({ value: true }));
3032230325exports.parseOutput = parseOutput;
3032330326exports.formatAsMarkdown = formatAsMarkdown;
30327+ exports.sanitizeForLog = sanitizeForLog;
3032430328exports.setOutputs = setOutputs;
3032530329const core = __importStar(__nccwpck_require__(7484));
3032630330/**
@@ -30358,29 +30362,29 @@ function parseOutput(stdout) {
3035830362}
3035930363/**
3036030364 * Search through the output for a balanced JSON object that contains "entries".
30361- * Tries each '{' as a potential start, extracts the balanced object, and checks
30362- * if it parses as JSON with an "entries" key .
30365+ * Takes the LAST valid match — the model's final answer — not the first,
30366+ * since earlier matches may be echoed PR content .
3036330367 */
3036430368function findEntriesJSON(str) {
3036530369 let searchFrom = 0;
30370+ let lastValid = null;
3036630371 while (searchFrom < str.length) {
3036730372 const braceIdx = str.indexOf('{', searchFrom);
3036830373 if (braceIdx === -1)
3036930374 break;
3037030375 const candidate = extractBalancedJSON(str, braceIdx);
3037130376 if (candidate && candidate.includes('"entries"')) {
30372- // Verify it's valid JSON before returning
3037330377 try {
3037430378 JSON.parse(candidate);
30375- return candidate;
30379+ lastValid = candidate;
3037630380 }
3037730381 catch {
3037830382 // Not valid JSON, keep searching
3037930383 }
3038030384 }
3038130385 searchFrom = braceIdx + 1;
3038230386 }
30383- return null ;
30387+ return lastValid ;
3038430388}
3038530389/**
3038630390 * Extract a balanced JSON object from a string starting at the given index.
@@ -30470,6 +30474,13 @@ function formatAsMarkdown(output) {
3047030474 }
3047130475 return lines.join('\n').trim();
3047230476}
30477+ /**
30478+ * Sanitize text to prevent GitHub Actions workflow command injection.
30479+ * Lines starting with :: are interpreted as runner commands.
30480+ */
30481+ function sanitizeForLog(text) {
30482+ return text.replace(/^::/gm, ' ::');
30483+ }
3047330484/**
3047430485 * Set the GitHub Action outputs.
3047530486 */
@@ -30484,7 +30495,7 @@ function setOutputs(output) {
3048430495 core.info(`⏭️ ${output.skippedPRs.length} PRs skipped`);
3048530496 if (markdown) {
3048630497 core.info('\n--- Release Notes ---');
30487- core.info(markdown);
30498+ core.info(sanitizeForLog( markdown) );
3048830499 core.info('--- End Release Notes ---');
3048930500 }
3049030501}
@@ -30868,6 +30879,7 @@ async function findPRsViaMergeCommits(baseRef, headRef) {
3086830879 const num = parseInt(match[1], 10);
3086930880 if (!mergeSet.has(num)) {
3087030881 prNumbers.push(num);
30882+ mergeSet.add(num);
3087130883 }
3087230884 }
3087330885 }
@@ -32879,5 +32891,4 @@ module.exports = parseParams
3287932891/******/ module.exports = __webpack_exports__;
3288032892/******/
3288132893/******/ })()
32882- ;
32883- //# sourceMappingURL=index.js.map
32894+ ;
0 commit comments