Pass evaluate exit code via marker file instead of $GITHUB_OUTPUT

octoscan flags any new bash write to `$GITHUB_OUTPUT` as a potential output-injection sink. The PHP exit code is safe in practice, but bundling it into the artifact as a marker filename (read in pr-comment-finalize via `hashFiles()`) sidesteps the rule entirely.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: ondrejmirtes

.github/workflows/issue-bot.yml

@@ -197,9 +197,6 @@ jobs:
 
     runs-on: "ubuntu-latest"
 
-    outputs:
-      pr-evaluate-exit-code: ${{ steps.evaluate-pr.outputs.exit_code }}
-
     steps:
       - name: Harden the runner (Audit all outbound calls)
         uses: step-security/harden-runner@5ef0c079ce82195b2a36a210272d6b661572d83e # v2.14.2
@@ -240,7 +237,6 @@ jobs:
         run: "ls -lA issue-bot/tmp"
 
       - name: "Evaluate results - pull request"
-        id: evaluate-pr
         working-directory: "issue-bot"
         if: github.event_name == 'pull_request'
         env:
@@ -265,13 +261,16 @@ jobs:
             fi
           } > tmp/pr-comment.md
 
-          echo "exit_code=$exit_code" >> "$GITHUB_OUTPUT"
+          # Marker file picked up by pr-comment-finalize via hashFiles() — avoids writing to $GITHUB_OUTPUT.
+          case "$exit_code" in
+            0|2) touch "tmp/pr-comment-exit-$exit_code" ;;
+          esac
 
           if [[ "$exit_code" == "2" ]]; then
             echo "::notice file=.github/workflows/issue-bot.yml,line=3 ::Issue bot detected open issues which are affected by this pull request - see $job_url"
           fi
 
-          # Always exit 0 for the PR pathway so the pr-comment-finalize job still receives outputs/artifacts.
+          # Always exit 0 for the PR pathway so the pr-comment-finalize job still receives the artifact.
           exit 0
 
       - name: "Upload step summary"
@@ -286,7 +285,9 @@ jobs:
         uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
         with:
           name: pr-comment
-          path: issue-bot/tmp/pr-comment.md
+          path: |
+            issue-bot/tmp/pr-comment.md
+            issue-bot/tmp/pr-comment-exit-*
 
       - name: "Evaluate results - push"
         working-directory: "issue-bot"
@@ -334,7 +335,7 @@ jobs:
           body-includes: "<!-- phpstan-issue-bot -->"
 
       - name: "Post/update PR comment (changes)"
-        if: needs.evaluate.outputs.pr-evaluate-exit-code == '2'
+        if: hashFiles('pr-comment-exit-2') != ''
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           comment-id: ${{ steps.find-comment.outputs.comment-id }}
@@ -343,7 +344,7 @@ jobs:
           body-path: pr-comment.md
 
       - name: "Update PR comment (no changes, only if exists)"
-        if: needs.evaluate.outputs.pr-evaluate-exit-code == '0' && steps.find-comment.outputs.comment-id != ''
+        if: hashFiles('pr-comment-exit-0') != '' && steps.find-comment.outputs.comment-id != ''
         uses: peter-evans/create-or-update-comment@71345be0265236311c031f5c7866368bd1eff043 # v4.0.0
         with:
           comment-id: ${{ steps.find-comment.outputs.comment-id }}