fix: DEVPLAT-7883 prevent shell injection in Set fields step

[kristianmills]

Summary

Resolves DEVPLAT-7883 — Semgrep finding of yaml.github-actions.security.run-shell-injection in the "Set fields" step.

Moves all ${{ github.* }} and ${{ inputs.* }} interpolations out of the run: shell block into the step-level env: block, then references them as quoted shell variables. Uses the runner-provided $GITHUB_SHA instead of redeclaring github.sha.

Variables moved into env:

• status: ${{ inputs.status }}
• repository: ${{ inputs.repository }}
• event_pusher_name: ${{ github.event.pusher.name }}
• event_sender_login: ${{ github.event.sender.login }}

(input_message and commit_message were already done correctly.)

Notes

• No behavior change — same emoji/color logic, same URL format, same author fallback (${author:-$event_sender_login} in bash works the same as ${author:-${{ github.event.sender.login }}} after the template substitution).
• Added quoting ("$input_message", "${author:-$event_sender_login}") where the original was unquoted; safe because none of these values can legitimately contain spaces or shell metachars.
• YAML validity verified.

Test plan

• Trigger a workflow that uses this action on a push event — verify Slack notification has the right emoji, color, author, and commit-link
• Trigger via workflow_dispatch — verify author falls back to sender.login and commit message is pulled from git log
• Trigger via failure path (e.g. failing test) — verify red emoji + danger color

References:

• Semgrep rule
• GitHub Actions security hardening

🤖 Generated with Claude Code

---

Note

Low Risk
Low risk: change is limited to how the composite action passes GitHub/inputs values into the bash script (via env + quoting), intended to reduce shell-injection risk while keeping notification behavior the same.

Overview
Hardens the Set fields bash step in action.yml by moving ${{ inputs.* }}/${{ github.* }} interpolations into step-level env variables and referencing them as quoted shell variables.

Commit-link construction is updated to use $GITHUB_SHA and $repository, and author selection now uses $event_pusher_name with a $event_sender_login fallback, reducing exposure to run-script injection without changing the Slack payload structure.

^{Reviewed by Cursor Bugbot for commit 687700a. Bugbot is set up for automated code reviews on this repo. Configure here.}

[kristianmills]

other scribd org repos typically use all caps for env variables, however this repo already uses lowercase so I decided to match what was already here.

[kristianmills]

I could see an argument for changing it, since I think its a lot easier to parse capitalized variables out of strings eg: message="https://github.com/$repository/commit/$github_sha|$commit_message" vs message="https://github.com/$REPOSITORY/commit/$GITHUB_SHA|$COMMIT_MESSAGE"

[terranisu]

Yes, we need to fix that and capitalize the environment variable names to follow the standard naming conventions (https://pubs.opengroup.org/onlinepubs/9799919799/basedefs/V1_chap08.html).