fix(vuln): remediate GHA script injection

[aris1009]

Replaces direct ${{ github.* }} interpolation in run: blocks with env: indirection. Prevents script injection RCE via crafted branch names or other user-controlled inputs. Ref: SEC-93.

Summary by CodeRabbit

• Chores
  • Refactored CI/CD workflow configuration to standardize environment variable handling across deployment and release automation steps.
  • Improved reliability of deployment configuration logic through enhanced shell script implementation.
  • Streamlined workflow variable passing for environment-specific deployments.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: CHILL

Plan: Pro

Run ID: dfb5f82d-3c85-4e85-abfe-ded1902546cd

📥 Commits

Reviewing files that changed from the base of the PR and between 4fd0ccf and 76a82dc.

📒 Files selected for processing (3)

• .github/workflows/deploy-sanity-suite.yml
• .github/workflows/deploy.yml
• .github/workflows/publish-new-release.yml

---

📝 Walkthrough

Walkthrough

Three GitHub Actions workflow files were refactored to use explicit shell environment variables via env entries instead of inline GitHub expressions (${{ inputs.* }}). Step logic was updated to reference shell variables through test syntax and command-line arguments, replacing template-based conditionals with shell comparisons.

Changes

Cohort / File(s)

Summary

Workflow Shell Variable Refactoring .github/workflows/deploy-sanity-suite.yml, .github/workflows/deploy.yml, .github/workflows/publish-new-release.yml

Refactored workflow steps to use explicit shell environment variables (USE_PR_HEAD_SHA, INPUT_ENVIRONMENT, VERSION_SUFFIX, BASE_CDN_URL, S3_DIR_PATH, BRANCH_NAME, etc.) declared via env entries instead of inline GitHub expressions. Updated conditional logic from ${{ ... }} syntax to shell test comparisons ([ ... ]) and replaced ${{ inputs.* }} references with ${VARIABLE_NAME} interpolation in commands.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~12 minutes

🚥 Pre-merge checks | ✅ 2 | ❌ 1

❌ Failed checks (1 inconclusive)

Check name	Status	Explanation	Resolution
Description check	❓ Inconclusive	The pull request description provides a clear explanation of the change (environment variable indirection to prevent script injection RCE) and references the related security issue (SEC-93), but does not follow the required template structure with checkboxes for browsers, sanity suite, and security confirmation.	Add the template sections including Cross Browser Tests checkboxes, Sanity Suite confirmation, and Security assessment checkbox to fully align with repository standards.

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and concisely summarizes the main change: remediating a GitHub Actions script injection vulnerability through environment variable indirection.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}