From 8698e7534604aa6b1e721b8f83fc55f2636edb10 Mon Sep 17 00:00:00 2001
From: Oliver Baer <75138893+mrwind-up-bird@users.noreply.github.com>
Date: Tue, 10 Mar 2026 02:54:25 +0100
Subject: [PATCH] fix(autofix): Command injection in contract check workflow

---
 examples/github-actions/contract-check.yml | 6 +++---
 1 file changed, 3 insertions(+), 3 deletions(-)

diff --git a/examples/github-actions/contract-check.yml b/examples/github-actions/contract-check.yml
index a472ad75..1fd4c27c 100644
--- a/examples/github-actions/contract-check.yml
+++ b/examples/github-actions/contract-check.yml
@@ -45,7 +45,7 @@ jobs:
         id: contracts
         run: |
           CONTRACTS=$(git diff --name-only ${{ github.event.pull_request.base.sha }}..${{ github.sha }} \
-            | grep -E '\.(proto|yaml|json)$' \
+          CONTRACTS=$(git diff --name-only "${{ github.event.pull_request.base.sha }}..${{ github.sha }}" \
             | grep -E '(proto/|openapi/|api/|swagger)' || true)
 
           if [ -n "$CONTRACTS" ]; then
@@ -67,7 +67,7 @@ jobs:
           ## Contract Change Analysis
 
           This PR modifies API contract files. Cross-boundary impact analysis:
-
+            echo "Analyzing: $(printf '%q' "$CONTRACT")"
           EOF
 
           while IFS= read -r CONTRACT; do
@@ -76,7 +76,7 @@ jobs:
             RESULT=$(curl -s "http://localhost:8080/contracts/impact?path=$CONTRACT" || echo '{}')
 
             VISIBILITY=$(echo "$RESULT" | jq -r '.visibility // "unknown"')
-            CONSUMERS=$(echo "$RESULT" | jq -r '.consumers | length // 0')
+            echo "### \`$(printf '%q' "$CONTRACT")\`" >> contract-report.md
             RISK=$(echo "$RESULT" | jq -r '.riskLevel // "unknown"')
 
             echo "" >> contract-report.md