Conversation
![kilo-code-bot[bot]](https://avatars.githubusercontent.com/in/2193792?s=60&v=4){kind=small}
| gh api "repos/$REPO/pulls/$PR_NUMBER" > pr.json | ||
| { | ||
| echo "TITLE=$(jq -r .title pr.json)" | ||
| echo "BODY<<__EOF__" |
There was a problem hiding this comment.
WARNING: PR bodies can break out of the fixed GITHUB_ENV heredoc
The PR body is untrusted input, and a body containing a line equal to __EOF__ terminates this heredoc early and lets following lines be interpreted as additional GITHUB_ENV commands for later steps. Avoid writing arbitrary PR text to GITHUB_ENV with a static delimiter; build payload.json directly from pr.json, or use a generated delimiter that cannot appear in the value.
| # For workflow_dispatch it evaluates to empty, so we fall back to the | ||
| # values written to GITHUB_ENV by the "Fetch PR metadata" step above. | ||
| PR_NUMBER: ${{ github.event.pull_request.number || inputs.pr_number }} | ||
| TITLE: ${{ github.event.pull_request.title || env.TITLE }} |
There was a problem hiding this comment.
WARNING: Manual-dispatch metadata can be overwritten with empty values
Values written via $GITHUB_ENV are available to the next step's shell environment, but this step immediately redefines TITLE, BODY, AUTHOR, MERGED_AT, and PR_URL through its own env: block. On workflow_dispatch, ${{ env.TITLE }} is not the runtime value appended in the previous step, so the manual test path can send empty metadata instead of the fetched PR fields.
Code Review SummaryStatus: 2 Issues Found | Recommendation: Address before merge Overview
Issue Details (click to expand)WARNING
Other Observations (not in diff)Issues found in unchanged code that cannot receive inline comments:
Files Reviewed (1 files)
Fix these issues in Kilo Cloud Reviewed by gpt-5.5-2026-04-23 · 121,375 tokens |
1 participant
Context
Implementation
Screenshots
How to Test
Get in Touch