ci: Escape new-pr.yml (#3117)

* fix: prevent script injection in new-pr.yml workflow

- Use toJSON() to escape user-provided PR body content
- Use toJSON() to escape github.actor username
- Properly quote variables in bash heredoc
- Fixes Wiz security alert for potential script injection

Co-authored-by: Michael Matloka <dev@twixes.com>

* Quotes not needed now

* The other content is safe

---------

Co-authored-by: Cursor Agent <cursoragent@cursor.com>

Author: Twixes

.github/workflows/new-pr.yml

@@ -27,7 +27,7 @@ jobs:
                       echo "is-shame-worthy=false" >> "$GITHUB_OUTPUT"
                   fi
               env:
-                  RAW_BODY: ${{ github.event.pull_request.body }}
+                  RAW_BODY: ${{ toJSON(github.event.pull_request.body) }}
 
             - name: Shame if PR has no description
               if: steps.is-shame-worthy.outputs.is-shame-worthy == 'true'