fix: prevent shell injection in pre-push hook environment loading (#9059)

Author: daniel-lxs

.husky/pre-push

@@ -18,14 +18,17 @@ fi
 
 $pnpm_cmd run check-types
 
-# Load .env.local if it exists
+# Use dotenvx to securely load .env.local and run commands that depend on it
 if [ -f ".env.local" ]; then
-  export $(grep -v '^#' .env.local | xargs)
-fi
-
-# Run tests if RUN_TESTS_ON_PUSH is set to true
-if [ "$RUN_TESTS_ON_PUSH" = "true" ]; then
-  $pnpm_cmd run test
+  # Check if RUN_TESTS_ON_PUSH is set to true and run tests with dotenvx
+  if npx dotenvx get RUN_TESTS_ON_PUSH -f .env.local 2>/dev/null | grep -q "^true$"; then
+    npx dotenvx run -f .env.local -- $pnpm_cmd run test
+  fi
+else
+  # Fallback: run tests if RUN_TESTS_ON_PUSH is set in regular environment
+  if [ "$RUN_TESTS_ON_PUSH" = "true" ]; then
+    $pnpm_cmd run test
+  fi
 fi
 
 # Check for new changesets.