diff --git a/pkg/workflow/update_project_job.go b/pkg/workflow/update_project_job.go
index 0729f3ea35..03c48ecb00 100644
--- a/pkg/workflow/update_project_job.go
+++ b/pkg/workflow/update_project_job.go
@@ -44,7 +44,10 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string)
 		if err != nil {
 			return nil, fmt.Errorf("failed to marshal views configuration: %w", err)
 		}
-		// Use %q to properly quote and escape the JSON for YAML
+		// lgtm[go/unsafe-quoting] - This generates YAML environment variable declarations, not shell commands.
+		// The %q format specifier properly escapes the JSON string for YAML syntax. There is no shell injection
+		// risk because this value is set as an environment variable in the GitHub Actions YAML configuration,
+		// not executed as shell code.
 		customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON)))
 	}