From 4cb30b68e2a98d9f22597b5acb112ae74ebdedb6 Mon Sep 17 00:00:00 2001
From: Adrian Taut <adriantaut@gmail.com>
Date: Tue, 24 Feb 2026 20:43:57 +0200
Subject: [PATCH 1/4] =?UTF-8?q?fix:=20sanitize=20commit=20message=20for=20?=
 =?UTF-8?q?JSON=20=E2=80=94=20take=20first=20line=20only?=
MIME-Version: 1.0
Content-Type: text/plain; charset=UTF-8
Content-Transfer-Encoding: 8bit

Multi-line commit messages break the JSON payload with unescaped
newlines. Extract just the first line and escape quotes.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/infra-deploy.yml | 10 +++++++---
 1 file changed, 7 insertions(+), 3 deletions(-)

diff --git a/.github/workflows/infra-deploy.yml b/.github/workflows/infra-deploy.yml
index a63b1f1547..098b1c4052 100644
--- a/.github/workflows/infra-deploy.yml
+++ b/.github/workflows/infra-deploy.yml
@@ -78,10 +78,14 @@ jobs:
           set -euo pipefail
           yarn cdk deploy --require-approval never --context imageVersion=${{ inputs.imageVersion }}
 
-      - name: Set short SHA
+      - name: Prepare notification vars
         if: ${{ always() }}
         id: vars
-        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+        run: |
+          echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
+          COMMIT_MSG=$(echo "${{ github.event.head_commit.message }}" | head -1 | sed 's/"/\\"/g')
+          echo "commit_msg=$COMMIT_MSG" >> $GITHUB_OUTPUT
+        working-directory: .
 
       - name: Mattermost Notification
         if: ${{ always() }}
@@ -94,6 +98,6 @@ jobs:
               "username": "${{ github.event.repository.name }}-deployer",
               "attachments": [{
                 "color": "${{ job.status == 'success' && '#2EA043' || '#D40E0D' }}",
-                "text": "##### Fizzy CDK Deployment\n| | |\n|:--|:--|\n| **Product** | [fizzy](${{ github.server_url }}/${{ github.repository }}) |\n| **Environment** | `${{ env.ENVIRONMENT }}` |\n| **Image Version** | `${{ inputs.imageVersion }}` |\n| **Actions URL** | [Deploy](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |\n| **Commit** | [`${{ steps.vars.outputs.short_sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) |\n| **Actor** | [${{ github.actor }}](${{ github.server_url }}/${{ github.actor }}) |\n\n**Commit Message:** ${{ github.event.head_commit.message }}"
+                "text": "##### Fizzy CDK Deployment\n| | |\n|:--|:--|\n| **Product** | [fizzy](${{ github.server_url }}/${{ github.repository }}) |\n| **Environment** | `${{ env.ENVIRONMENT }}` |\n| **Image Version** | `${{ inputs.imageVersion }}` |\n| **Actions URL** | [Deploy](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |\n| **Commit** | [`${{ steps.vars.outputs.short_sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) |\n| **Actor** | [${{ github.actor }}](${{ github.server_url }}/${{ github.actor }}) |\n\n**Commit Message:** ${{ steps.vars.outputs.commit_msg }}"
               }]
             }

From 1c9dda470d690dabfb38f36f47e47a00b22accdd Mon Sep 17 00:00:00 2001
From: Adrian Taut <adriantaut@gmail.com>
Date: Tue, 24 Feb 2026 20:44:26 +0200
Subject: [PATCH 2/4] fix: use env var for commit message to avoid shell
 injection

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/infra-deploy.yml | 6 ++++--
 1 file changed, 4 insertions(+), 2 deletions(-)

diff --git a/.github/workflows/infra-deploy.yml b/.github/workflows/infra-deploy.yml
index 098b1c4052..89877a3f80 100644
--- a/.github/workflows/infra-deploy.yml
+++ b/.github/workflows/infra-deploy.yml
@@ -81,10 +81,12 @@ jobs:
       - name: Prepare notification vars
         if: ${{ always() }}
         id: vars
+        env:
+          RAW_MSG: ${{ github.event.head_commit.message }}
         run: |
           echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-          COMMIT_MSG=$(echo "${{ github.event.head_commit.message }}" | head -1 | sed 's/"/\\"/g')
-          echo "commit_msg=$COMMIT_MSG" >> $GITHUB_OUTPUT
+          FIRST_LINE=$(echo "$RAW_MSG" | head -1)
+          echo "commit_msg=$FIRST_LINE" >> $GITHUB_OUTPUT
         working-directory: .
 
       - name: Mattermost Notification

From f9d3e91b9d87851f9015a62a01ad847dc554bc0b Mon Sep 17 00:00:00 2001
From: Adrian Taut <adriantaut@gmail.com>
Date: Tue, 24 Feb 2026 20:47:26 +0200
Subject: [PATCH 3/4] chore: remove commit message from notification

Avoids JSON escaping issues with multi-line commit messages.
Commit SHA link is sufficient to view details.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/infra-deploy.yml | 11 +++--------
 1 file changed, 3 insertions(+), 8 deletions(-)

diff --git a/.github/workflows/infra-deploy.yml b/.github/workflows/infra-deploy.yml
index 89877a3f80..5d93516419 100644
--- a/.github/workflows/infra-deploy.yml
+++ b/.github/workflows/infra-deploy.yml
@@ -78,15 +78,10 @@ jobs:
           set -euo pipefail
           yarn cdk deploy --require-approval never --context imageVersion=${{ inputs.imageVersion }}
 
-      - name: Prepare notification vars
+      - name: Set short SHA
         if: ${{ always() }}
         id: vars
-        env:
-          RAW_MSG: ${{ github.event.head_commit.message }}
-        run: |
-          echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-          FIRST_LINE=$(echo "$RAW_MSG" | head -1)
-          echo "commit_msg=$FIRST_LINE" >> $GITHUB_OUTPUT
+        run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
         working-directory: .
 
       - name: Mattermost Notification
@@ -100,6 +95,6 @@ jobs:
               "username": "${{ github.event.repository.name }}-deployer",
               "attachments": [{
                 "color": "${{ job.status == 'success' && '#2EA043' || '#D40E0D' }}",
-                "text": "##### Fizzy CDK Deployment\n| | |\n|:--|:--|\n| **Product** | [fizzy](${{ github.server_url }}/${{ github.repository }}) |\n| **Environment** | `${{ env.ENVIRONMENT }}` |\n| **Image Version** | `${{ inputs.imageVersion }}` |\n| **Actions URL** | [Deploy](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |\n| **Commit** | [`${{ steps.vars.outputs.short_sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) |\n| **Actor** | [${{ github.actor }}](${{ github.server_url }}/${{ github.actor }}) |\n\n**Commit Message:** ${{ steps.vars.outputs.commit_msg }}"
+                "text": "##### Fizzy CDK Deployment\n| | |\n|:--|:--|\n| **Product** | [fizzy](${{ github.server_url }}/${{ github.repository }}) |\n| **Environment** | `${{ env.ENVIRONMENT }}` |\n| **Image Version** | `${{ inputs.imageVersion }}` |\n| **Actions URL** | [Deploy](${{ github.server_url }}/${{ github.repository }}/actions/runs/${{ github.run_id }}) |\n| **Commit** | [`${{ steps.vars.outputs.short_sha }}`](${{ github.server_url }}/${{ github.repository }}/commit/${{ github.sha }}) |\n| **Actor** | [${{ github.actor }}](${{ github.server_url }}/${{ github.actor }}) |"
               }]
             }

From ddc3dfc0518e9212c1ec79b6f1c5b11aac46cccb Mon Sep 17 00:00:00 2001
From: Adrian Taut <adriantaut@gmail.com>
Date: Tue, 24 Feb 2026 20:47:44 +0200
Subject: [PATCH 4/4] chore: remove unnecessary working-directory override

The infra/ directory exists after checkout in the real deploy flow.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>
---
 .github/workflows/infra-deploy.yml | 1 -
 1 file changed, 1 deletion(-)

diff --git a/.github/workflows/infra-deploy.yml b/.github/workflows/infra-deploy.yml
index 5d93516419..cee24479ed 100644
--- a/.github/workflows/infra-deploy.yml
+++ b/.github/workflows/infra-deploy.yml
@@ -82,7 +82,6 @@ jobs:
         if: ${{ always() }}
         id: vars
         run: echo "short_sha=${GITHUB_SHA::7}" >> $GITHUB_OUTPUT
-        working-directory: .
 
       - name: Mattermost Notification
         if: ${{ always() }}