From 3a47315194ce13ac406be47e0419e0252abb530b Mon Sep 17 00:00:00 2001
From: Timothee Guerin <tiguerin@microsoft.com>
Date: Wed, 25 Mar 2026 13:23:36 -0700
Subject: [PATCH] Potential fix for code scanning alert no. 107: Artifact
 poisoning

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
---
 .github/workflows/commenter.yml | 5 ++++-
 1 file changed, 4 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/commenter.yml b/.github/workflows/commenter.yml
index e1889595736..60f6247e287 100644
--- a/.github/workflows/commenter.yml
+++ b/.github/workflows/commenter.yml
@@ -19,11 +19,14 @@ jobs:
     runs-on: ubuntu-latest
     steps:
       - uses: actions/checkout@v4
+      - name: Prepare artifact directory
+        run: mkdir -p "${{ runner.temp }}/comment-artifact"
       - uses: actions/download-artifact@v4
         with:
           name: comment
           run-id: ${{github.event.workflow_run.id }}
           github-token: ${{secrets.GITHUB_TOKEN}}
+          path: ${{ runner.temp }}/comment-artifact
       - name: Display structure of downloaded files
         run: ls -R
 
@@ -32,7 +35,7 @@ jobs:
       - run: pnpm install
         name: Install dependencies
 
-      - run: pnpm chronus-github-pr-commenter --comment-file comment.json
+      - run: pnpm chronus-github-pr-commenter --comment-file "${{ runner.temp }}/comment-artifact/comment.json"
         env:
           GITHUB_TOKEN: ${{secrets.GITHUB_TOKEN}}
         name: Create/update comment