fix(ci): harden react-doctor workflow and comment renderer

[pauldambra]

Problem

#2520 added the react-doctor CI action. A multi-perspective review of the equivalent change on posthog/posthog (PostHog/posthog#62084) surfaced a few reliability and robustness issues in the same workflow + renderer that were already merged here. This is the catch-up hardening.

Changes

react-doctor.yml:

• Fail closed on git diff failure. The scan step runs set -uo pipefail without -e, so previously if git diff base...head failed (e.g. the base SHA was missing), the redirect left an empty changed-files list — indistinguishable from "no changes" — and the gate passed green without scanning anything. Now a failed diff exits 1.
• Edit-safe exit-code capture. npx ... > "$REPORT"; status=$? on adjacent lines instead of echo "exit-code=$?", so the gate can't be silently broken by inserting a command between the run and the capture.

react-doctor-comment.mjs:

• Cap the errors list at MAX_LISTED (50) like warnings already were, so a large error set can't exceed GitHub's 65536-char comment limit (which would 422 and post no comment). Named the shared cap.
• Neutralise PR-controlled strings. Strip backticks and angle brackets from file paths, rule names, and titles so a crafted filename can't spoof the comment layout (e.g. inject a stray </details> or a fake "no issues" line). GitHub already sanitises for XSS; this prevents cosmetic spoofing.

No behaviour change for the normal (clean / has-findings) path.

How did you test this?

I'm an agent. Validated the workflow YAML parses, ran the renderer locally against synthetic reports including a malicious-input case (backtick/angle-bracket file path and </details><script> title) to confirm they're stripped, and ran Biome (biome ci) on the renderer. The workflow exercises itself on this PR.

Publish to changelog?

no

---

Created with PostHog Code

[pauldambra]

• fix(ci): harden react-doctor workflow and comment renderer #2525 👈 (View in Graphite)
• main

This stack of pull requests is managed by Graphite. Learn more about stacking.

[github-actions]

React Doctor found no issues in the changed files. 🎉

_{Reviewed by React Doctor for commit 0f9835e.}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 0f9835e9c6

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[greptile-apps]

Prompt To Fix All With AI

Fix the following 1 code review issue. Work through them one at a time, proposing concise fixes.

---

### Issue 1 of 1
.github/scripts/react-doctor-comment.mjs:29-32
The URL portion of the Markdown link still uses the raw `file` value. File paths that contain a `)` character — reasonably common in React codebases (e.g., `Button(deprecated).tsx`) — will cause GFM to close the link at the first unmatched `)`, producing a broken link and leaking the remainder as visible text. The display text is correctly sanitised by `inline(file)`, but the URL path is not.

```suggestion
const encodedFilePath = (file) =>
  file
    .split("/")
    .map((segment) => encodeURIComponent(segment))
    .join("/");
const fileLink = (file, line) =>
  slug && head
    ? `[\`${inline(file)}:${line}\`](${server}/${slug}/blob/${head}/${encodedFilePath(file)}#L${line})`
    : `\`${inline(file)}:${line}\``;
```

_{Reviews (1): Last reviewed commit: "fix(ci): harden react-doctor workflow an..." | Re-trigger Greptile}