diff --git a/.changeset/patch-escape-single-quotes-in-project-views.md b/.changeset/patch-escape-single-quotes-in-project-views.md
new file mode 100644
index 0000000000..8bb63fb557
--- /dev/null
+++ b/.changeset/patch-escape-single-quotes-in-project-views.md
@@ -0,0 +1,14 @@
+---
+"gh-aw": patch
+---
+
+Escape single quotes and backslashes when embedding JSON into shell environment
+variables to prevent shell injection. This fixes a code-scanning finding
+(`go/unsafe-quoting`) by properly escaping backslashes and single quotes
+before inserting JSON into a single-quoted shell string.
+
+Files changed:
+- `pkg/workflow/update_project_job.go` (apply POSIX-compatible escaping)
+
+This is an internal security fix and does not change the public CLI API.
+
diff --git a/pkg/workflow/update_project_job.go b/pkg/workflow/update_project_job.go
index c4b7362e71..0729f3ea35 100644
--- a/pkg/workflow/update_project_job.go
+++ b/pkg/workflow/update_project_job.go
@@ -44,7 +44,8 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string)
 		if err != nil {
 			return nil, fmt.Errorf("failed to marshal views configuration: %w", err)
 		}
-		customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: '%s'\n", string(viewsJSON)))
+		// Use %q to properly quote and escape the JSON for YAML
+		customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON)))
 	}
 
 	jobCondition := BuildSafeOutputType("update_project")