[code-scanning-fix] Fix go/unsafe-quoting: Use base64 encoding for project views configuration

pkg/workflow/update_project_job.go

@@ -1,6 +1,7 @@
 package workflow
 
 import (
+	"encoding/base64"
 	"encoding/json"
 	"fmt"
 )
@@ -44,11 +45,9 @@ func (c *Compiler) buildUpdateProjectJob(data *WorkflowData, mainJobName string)
 		if err != nil {
 			return nil, fmt.Errorf("failed to marshal views configuration: %w", err)
 		}
-		// lgtm[go/unsafe-quoting] - This generates YAML environment variable declarations, not shell commands.
-		// The %q format specifier properly escapes the JSON string for YAML syntax. There is no shell injection
-		// risk because this value is set as an environment variable in the GitHub Actions YAML configuration,
-		// not executed as shell code.
-		customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS: %q\n", string(viewsJSON)))
+		// Use base64 encoding to safely pass JSON data through YAML without any quoting concerns
+		viewsBase64 := base64.StdEncoding.EncodeToString(viewsJSON)
+		customEnvVars = append(customEnvVars, fmt.Sprintf("          GH_AW_PROJECT_VIEWS_BASE64: %q\n", viewsBase64))
 	}
 
 	jobCondition := BuildSafeOutputType("update_project")