chore: avoid shell expansion and move permissions from workflow to per job level

jdomeracki-coder · david-fraley · commit 7462fe9ed87e · 2025-12-11T19:09:27.000Z
diff --git a/.github/workflows/classify-issue-severity.yml b/.github/workflows/classify-issue-severity.yml
@@ -9,7 +9,6 @@ on:
     types: [labeled]
 
 permissions:
-  issues: write
   contents: read
 
 jobs:
@@ -140,14 +139,17 @@ jobs:
     needs: analyze
     runs-on: ubuntu-latest
     if: always() && needs.analyze.result != 'skipped'
+    permissions:
+      issues: write
+      contents: read
 
     steps:
       - name: Parse and Validate Analysis
         id: parse
+        env:
+          RESULT: ${{ needs.analyze.outputs.result }}
         run: |
           # Parse the JSON output from claude-code-action
-          RESULT='${{ needs.analyze.outputs.result }}'
-
           echo "Raw result: $RESULT"
 
           # Extract JSON from the result
@@ -200,8 +202,10 @@ jobs:
         if: steps.parse.outputs.status == 'classified'
         env:
           GH_TOKEN: ${{ github.token }}
+          SEVERITY: ${{ steps.parse.outputs.severity }}
+          REASONING: ${{ steps.parse.outputs.reasoning }}
         run: |
-          SEVERITY_UPPER=$(echo "${{ steps.parse.outputs.severity }}" | tr '[:lower:]' '[:upper:]')
+          SEVERITY_UPPER=$(echo "$SEVERITY" | tr '[:lower:]' '[:upper:]')
 
           gh issue comment ${{ github.event.issue.number }} \
             --repo ${{ github.repository }} \
@@ -210,7 +214,7 @@ jobs:
           **Recommended Severity:** \`${SEVERITY_UPPER}\`
 
           **Analysis:**
-          ${{ steps.parse.outputs.reasoning }}
+          ${REASONING}
 
           ---
           *This classification was performed by AI analysis. Please review and adjust if needed.*"
@@ -219,6 +223,8 @@ jobs:
         if: steps.parse.outputs.status == 'insufficient_info'
         env:
           GH_TOKEN: ${{ github.token }}
+          REASONING: ${{ steps.parse.outputs.reasoning }}
+          NEXT_STEPS: ${{ steps.parse.outputs.next_steps }}
         run: |
           gh issue comment ${{ github.event.issue.number }} \
             --repo ${{ github.repository }} \
@@ -227,10 +233,10 @@ jobs:
           **Status:** Unable to classify - insufficient information
 
           **Reasoning:**
-          ${{ steps.parse.outputs.reasoning }}
+          ${REASONING}
 
           **Suggested next steps:**
-          ${{ steps.parse.outputs.next_steps }}
+          ${NEXT_STEPS}
 
           ---
           *This classification was performed by AI analysis. Please provide the requested information for proper severity assessment.*"
