From 2278ede5956362990eb60a1454f79382801bd29a Mon Sep 17 00:00:00 2001
From: Jonathan Santilli <1774227+jonathansantilli@users.noreply.github.com>
Date: Tue, 7 Apr 2026 15:57:00 +0100
Subject: [PATCH 1/2] test: add marker file for injection test

---
 INJECTION_TEST.md | 1 +
 1 file changed, 1 insertion(+)
 create mode 100644 INJECTION_TEST.md

diff --git a/INJECTION_TEST.md b/INJECTION_TEST.md
new file mode 100644
index 0000000..f3ebdc6
--- /dev/null
+++ b/INJECTION_TEST.md
@@ -0,0 +1 @@
+# Injection test - this branch name is test-$(id)

From 5f16d97b9ce3c8bf68620348063e66b9cc324533 Mon Sep 17 00:00:00 2001
From: Jonathan Santilli <1774227+jonathansantilli@users.noreply.github.com>
Date: Tue, 7 Apr 2026 16:18:31 +0100
Subject: [PATCH 2/2] fix: add debug echo for branch name to verify injection
 fix

Print REPO and BRANCH values so reviewers can verify that branch names
containing shell metacharacters (e.g. test-$(id)) are treated as literal
text and not executed.

Ref: E-1815
---
 action.yml        | 3 +++
 review/action.yml | 5 +++++
 2 files changed, 8 insertions(+)

diff --git a/action.yml b/action.yml
index fac4154..531f785 100644
--- a/action.yml
+++ b/action.yml
@@ -42,6 +42,9 @@ runs:
         REPO=${REPO%".git"}
         BRANCH=${GITHUB_HEAD_REF:-${GITHUB_REF#refs/heads/}}
 
+        echo "REPO: $REPO"
+        echo "BRANCH: $BRANCH"
+
         MOBB_ARGS=(
           npx --yes mobbdev@latest analyze --ci
           -r "$REPO"
diff --git a/review/action.yml b/review/action.yml
index f16d1a5..0927771 100644
--- a/review/action.yml
+++ b/review/action.yml
@@ -57,6 +57,11 @@ runs:
         VUL_FILE_PATH="results/$(basename "$REPORT_FILE")"
         PR_NUMBER="${{ github.event.pull_request.number }}"
 
+        echo "REPO: $REPO"
+        echo "BRANCH: $GITHUB_HEAD_REF"
+        echo "COMMIT_HASH: $COMMIT_HASH"
+        echo "PR_NUMBER: $PR_NUMBER"
+
         MOBB_ARGS=(
           npx --yes mobbdev@latest review
           -r "$REPO"