diff --git a/pkg/workflow/compiler.go b/pkg/workflow/compiler.go
index 7bef53509d..15d5d8278f 100644
--- a/pkg/workflow/compiler.go
+++ b/pkg/workflow/compiler.go
@@ -5,6 +5,7 @@ import (
 	"errors"
 	"fmt"
 	"os"
+	"path/filepath"
 	"strings"
 	"time"
 
@@ -86,6 +87,9 @@ func (c *Compiler) CompileWorkflowData(workflowData *WorkflowData, markdownPath
 		lockFile = baseName + ".campaign.lock.yml"
 	}
 
+	// Sanitize the lock file path to prevent path traversal attacks
+	lockFile = filepath.Clean(lockFile)
+
 	log.Printf("Starting compilation: %s -> %s", markdownPath, lockFile)
 
 	// Validate expression safety - check that all GitHub Actions expressions are in the allowed list