Update .github/workflows/scripts/post_render_comment.py

Co-authored-by: Copilot <175728472+Copilot@users.noreply.github.com>

Author: dmcilvaney

.github/workflows/scripts/post_render_comment.py

@@ -212,10 +212,11 @@ def format_comment(
             path = _safe_path(item["path"])
             diff_text = item.get("diff", "")
             fence = _fence_for(diff_text)
-            # Plain markdown — no raw HTML — so an attacker-controlled path
-            # can't introduce tags. `<details>` stays because its children
-            # are plain markdown + a dynamic fence longer than any backtick
-            # run in the diff body.
+            # Emit fixed raw HTML for the collapsible wrapper (`<details>` and
+            # `<summary>`), but keep attacker-controlled content in markdown
+            # code formatting: the path is rendered as code in the summary, and
+            # the diff body is inside a dynamically chosen fence longer than any
+            # backtick run in the diff text.
             block = (
                 "<details>\n"
                 f"<summary>`{path}`</summary>\n\n"