The conversion uses toJSON(steps.git-cliff.outputs.content) and then echoes it as a literal string, which produces a JSON-escaped value (surrounding quotes and escaped \n). That means sed will run against the escaped representation and the Slack output is likely to contain quotes/backslashes instead of proper newlines/markdown. Consider passing the raw content into the step (e.g., via an env var) or explicitly decoding the JSON string before running the sed transforms.

payload appears to be constructed as JSON/YAML, but release_notes is now injected without quoting/escaping. If steps.slack-notes.outputs.content contains newlines, quotes, or colons, this will break the payload parsing or produce invalid JSON for the Slack webhook. Wrap the value in toJSON(...) (or otherwise ensure proper escaping) so the payload remains valid regardless of release note contents.

Bug: The release_notes value is not wrapped with toJSON(), which will create an invalid payload for the Slack action if the notes contain special characters or newlines.
_{Severity: MEDIUM}

Review the code at the location below. A potential bug has been identified by an AI
agent.
Verify if this is a real issue. If it is, propose a fix; if not, explain why it's not
valid.

Location: .github/workflows/_package-publish.yml#L254

Potential issue: In the `_package-publish.yml` workflow, the `release_notes` field is
populated with raw, potentially multiline content that may contain special characters.
This content is not properly escaped using `toJSON()` before being inserted into the
payload for the `slackapi/slack-github-action`. When the action attempts to parse this
payload, the unescaped value will break the JSON/YAML structure. This will cause the
'Release Announcement' step to fail, preventing release notifications from being sent to
the designated Slack channel.

_{Did we get this right? 👍 / 👎 to inform future reviews.}