fix: address review on prompt + skip-cp-setup (PR #81)

d-morrison · claude · d-morrison · commit 0baffedc51d5 · 2026-05-25T22:24:13.000-07:00
- quarto-review.prompt.md: convert checklist item 8's three comma-separated
  validation steps to a bullet list, per the repo's own bullet-list rule.
- copilot-setup-steps.yml: pass the event name and label-contains expression
  through env vars in the skip check rather than interpolating them into the
  shell, the GitHub-recommended pattern against expression injection.

(The `paths:` filter does not block the skip-cp-setup label: Copilot invokes
copilot-setup-steps directly when provisioning its environment, independent of
the `on:` triggers, so the label is honored there.)

Co-Authored-By: Claude Opus 4.7 (1M context) &lt;noreply@anthropic.com&gt;
diff --git a/.github/prompts/quarto-review.prompt.md b/.github/prompts/quarto-review.prompt.md
@@ -29,8 +29,10 @@ Review checklist:
 7. No generated files are edited (`README.md` from `README.Rmd`; `_site/`,
    `_freeze/`, `.quarto/`), and spell/link-check failures are fixed at the
    source (wordlist or content), not suppressed.
-8. The author ran the required local validation: render of the touched page,
-   `lintr`, and `spelling::spell_check_package()`.
+8. The author ran the required local validation:
+   - render of the touched page
+   - `lintr`
+   - `spelling::spell_check_package()`
 
 Output format:
 
diff --git a/.github/workflows/copilot-setup-steps.yml b/.github/workflows/copilot-setup-steps.yml
@@ -46,12 +46,18 @@ jobs:
       # (e.g. metadata- or workflow-only PRs). Non-PR events always run setup.
       - name: Check if setup should be skipped
         id: check_label
+        # Pass the expression result through env (GitHub-recommended) rather
+        # than interpolating it directly into the shell, to avoid the
+        # expression-injection anti-pattern in code that downstream books copy.
+        env:
+          EVENT_NAME: ${{ github.event_name }}
+          LABELS_CONTAIN_SKIP: ${{ contains(github.event.pull_request.labels.*.name, 'skip-cp-setup') }}
         shell: bash
         run: |
-          if [[ '${{ github.event_name }}' != 'pull_request' ]]; then
+          if [[ "$EVENT_NAME" != 'pull_request' ]]; then
             echo "Not a pull request, running full setup"
             echo "skip=false" >> "$GITHUB_OUTPUT"
-          elif [[ '${{ contains(github.event.pull_request.labels.*.name, 'skip-cp-setup') }}' == 'true' ]]; then
+          elif [[ "$LABELS_CONTAIN_SKIP" == 'true' ]]; then
             echo "skip-cp-setup label present, skipping setup steps"
             echo "skip=true" >> "$GITHUB_OUTPUT"
           else
