Use intermediate env var for Pulumi passphrase (#4)

Addresses security concern where secrets were directly interpolated in
run commands. Following GitHub's security best practices, the secret is
now passed through an intermediate environment variable before being
written to the file.

This maintains compatibility with the existing Makefile workflow while
reducing the risk of accidental secret disclosure.

Author: domdomegg

.github/workflows/deploy.yml

@@ -49,6 +49,8 @@ jobs:
           credentials_json: ${{ secrets.GCP_PROD_SERVICE_ACCOUNT_KEY }}
 
       - name: Deploy to Production
+        env:
+          PULUMI_PASSPHRASE: ${{ secrets.PULUMI_PROD_PASSPHRASE }}
         run: |
-          echo "${{ secrets.PULUMI_PROD_PASSPHRASE }}" > passphrase.prod.txt
+          echo "$PULUMI_PASSPHRASE" > passphrase.prod.txt
           make up