diff --git a/.github/workflows/content-lint-markdown.yml b/.github/workflows/content-lint-markdown.yml
index 265fe6fb75..47a1051eaa 100644
--- a/.github/workflows/content-lint-markdown.yml
+++ b/.github/workflows/content-lint-markdown.yml
@@ -32,10 +32,19 @@ jobs:
         id: changed-files
         uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1
         with:
+          # No need to escape the file names because we make the output of
+          # tj-actions/changed-files be set as an environment variable. Not
+          # as a direct input to the line of bash that uses it.
+          safe_output: false
           files: |
             content/**
             data/**
 
       - name: Run content linter if changed content/data files
         if: steps.changed-files.outputs.any_changed == 'true'
-        run: npm run lint-content -- --errors-only --paths ${{ steps.changed-files.outputs.all_changed_files }}
+        env:
+          # Make it an environment variable so that its value doesn't need to be escaped.
+          # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          CHANGED_FILES: |-
+            ${{ steps.changed-files.outputs.all_changed_files }}
+        run: npm run lint-content -- --errors-only --paths "$CHANGED_FILES"
diff --git a/.github/workflows/test-changed-content.yml b/.github/workflows/test-changed-content.yml
index f24d769894..d6b2e551b6 100644
--- a/.github/workflows/test-changed-content.yml
+++ b/.github/workflows/test-changed-content.yml
@@ -47,6 +47,11 @@ jobs:
         id: changed-files
         uses: tj-actions/changed-files@716b1e13042866565e00e85fd4ec490e186c4a2f # v41.0.1
         with:
+          # No need to escape the file names because we make the output of
+          # tj-actions/changed-files be set as an environment variable. Not
+          # as a direct input to the line of bash that uses it.
+          # See https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable
+          safe_output: false
           files: 'content/**'
           # Necessary so we can know what the old name was when a
           # content file was renamed.
diff --git a/src/workflows/get-preview-app-info.sh b/src/workflows/get-preview-app-info.sh
index 094ff29687..3624f683d0 100755
--- a/src/workflows/get-preview-app-info.sh
+++ b/src/workflows/get-preview-app-info.sh
@@ -14,9 +14,10 @@
 
 PREVIEW_ENV_LOCATION="eastus"
 
-# If a CUSTOM_GITHUB_REPOSITORY variable was set, use that.
-# Otherwise, use the default GITHUB_REPOSITORY value.
-# (This allows us to call this script from another repo.)
+# GITHUB_REPOSITORY is a default env variable and cannot be overwritten.
+# Use CUSTOM_GITHUB_REPOSITORY to specify a repo owner/name
+# other than the repo owner/name where this script was called from.
+# If CUSTOM_GITHUB_REPOSITORY is not specified, fall back to GITHUB_REPOSITORY.
 REPO_NAME_WITH_OWNER="${CUSTOM_GITHUB_REPOSITORY:-$GITHUB_REPOSITORY}"
 
 REPO_NAME="${REPO_NAME_WITH_OWNER#*\/}"