diff --git a/.github/workflows/comment-perf.yaml b/.github/workflows/comment-perf.yaml
index 378604da..38cafe7d 100644
--- a/.github/workflows/comment-perf.yaml
+++ b/.github/workflows/comment-perf.yaml
@@ -27,11 +27,20 @@ jobs:
 
       - name: Get PR number
         id: get-pr-number
-        run: |
-          PR_NUMBER=$(gh api "repos/${{ github.repository }}/pulls?head=${{ github.event.workflow_run.head_repository.owner.login }}:${{ github.event.workflow_run.head_branch }}&state=open" --jq '.[0].number')
-          echo "number=$PR_NUMBER" >> $GITHUB_OUTPUT
         env:
           GH_TOKEN: ${{ secrets.ROCKSBOT_CHISEL_PR_COMMENTER }}
+          # The branch name is considered an untrusted input value (under the
+          # contributor's control), so store it in a variable to avoid shell
+          # injection.
+          QUERY_PR: "head:${{ github.event.workflow_run.head_branch }} ${{ github.event.workflow_run.head_sha }}"
+          # Filters and formats the JSON into a `key=value` string with basic error handling.
+          JQ_FILTER: >-
+            .[0]
+            | if (.number == null) then error("Could not find PR number") end
+            | "number=\(.number)"
+        run: |
+          gh pr list --repo "${{ github.repository }}" --state all --search "${QUERY_PR}" \
+          --json number --jq "${JQ_FILTER}" >> "${GITHUB_OUTPUT}"
 
       - name: Post message to PR
         uses: mshick/add-pr-comment@dd126dd8c253650d181ad9538d8b4fa218fc31e8 # v2