Single quote was preventing the shell from expanding the BODY variable

While this prevents the attack highlighted in the query help it also prevents it from working.

Double quotes will allow the expansion of the variable while still preventing the attack

Author: tspascoal

javascript/ql/src/Security/CWE-094/examples/comment_issue_good.yml

@@ -7,4 +7,4 @@ jobs:
     - env:
         BODY: ${{ github.event.issue.body }}
       run: |
-        echo '$BODY'
+        echo "$BODY"