🔒 Security: restrict workflow context (#3124)

Co-authored-by: polarathene <[email protected]>

Author: yanyongyu

.github/workflows/website-preview-cd.yml

@@ -45,11 +45,16 @@ jobs:
 
       - name: Restore Context
         run: |
-          cat action.env >> $GITHUB_ENV
+          PR_NUMBER=$(cat ./pr-number)
+          if ! [[ "${PR_NUMBER}" =~ ^[0-9]+$ ]]; then
+            echo "Invalid PR number: ${PR_NUMBER}"
+            exit 1
+          fi
+          echo "PR_NUMBER=${PR_NUMBER}" >> "${GITHUB_ENV}"
 
       - name: Set Deploy Name
         run: |
-          echo "DEPLOY_NAME=deploy-preview-${{ env.PR_NUMBER }}" >> $GITHUB_ENV
+          echo "DEPLOY_NAME=deploy-preview-${PR_NUMBER}" >> "${GITHUB_ENV}"
 
       - name: Deploy to Netlify
         id: deploy

.github/workflows/website-preview-ci.yml

@@ -30,13 +30,13 @@ jobs:
 
       - name: Export Context
         run: |
-          echo "PR_NUMBER=${{ github.event.number }}" >> ./action.env
+          echo "${{ github.event.pull_request.number }}" > ./pr-number
 
       - name: Upload Artifact
         uses: actions/upload-artifact@v4
         with:
           name: website-preview
           path: |
             ./website/build
-            ./action.env
+            ./pr-number
           retention-days: 1