MESH-2530 Fix action vulnerable to script injection

Author: acarriedev

.github/workflows/pull-request.yml

@@ -297,11 +297,14 @@ jobs:
       - name: merge into base_branch
         if: ${{ github.event_name == 'pull_request' }}
         run: |
-          echo base branch "${{ github.base_ref }}"
-          echo pr branch "${{ github.head_ref }}"
-          git checkout "${{ github.base_ref }}"
+          echo base branch "$BASE_BRANCH"
+          echo pr branch "$PR_BRANCH"
+          git checkout "$BASE_BRANCH"
           git checkout -b "merging-${{ github.event.number }}"
           git merge --ff-only "${{ github.event.pull_request.head.sha }}"
+        env:
+          BASE_BRANCH: ${{ github.base_ref }}
+          PR_BRANCH: ${{ github.head_ref }}
 
       - name: setup python
         uses: actions/setup-python@v5