chore

Author: HUAHUAI23

.github/workflows/pr-check.yml

@@ -3,6 +3,7 @@ name: PR Check
 permissions:
   contents: read
   pull-requests: write
+  issues: write
 
 on:
   pull_request:
@@ -132,9 +133,12 @@ jobs:
         uses: actions/github-script@v7
         with:
           script: |
+            // Security: Use context object instead of direct template injection to prevent script injection
             const lintBuildResult = '${{ needs.lint-and-build.result }}';
             const dockerResult = '${{ needs.docker-build-test.result }}';
             const prNumber = context.payload.pull_request.number;
+            const commitSha = context.payload.pull_request.head.sha;
+            const branchName = context.payload.pull_request.head.ref;
 
             let allPassed = lintBuildResult === 'success' && dockerResult === 'success';
             let emoji = allPassed ? '✅' : '❌';
@@ -171,8 +175,8 @@ jobs:
               }
             }
 
-            body += `**Commit:** \`${{ github.event.pull_request.head.sha }}\`\n`;
-            body += `**Branch:** \`${{ github.head_ref }}\`\n`;
+            body += `**Commit:** \`${commitSha}\`\n`;
+            body += `**Branch:** \`${branchName}\`\n`;
 
             const { data: comments } = await github.rest.issues.listComments({
               owner: context.repo.owner,