fix: use env var for PR title in commitlint workflow to prevent untrusted script injection

Description

Our OSSF scorecard workflow flagged this as a Critical security risk. Unsure of whether there is a real attack vector in our specific case. Using an environment variable to capture untrusted input in workflows is a documented security hardening best practice by GitHub as well.

This should also boost our OSSF scorecard score since we have a 0 on this check.

Dangerous-Workflow check:

https://github.com/ossf/scorecard/blob/49c0eed3a423f00c872b5c3c9f1bbca9e8aae799/docs/checks.md#dangerous-workflow

Risk of script injections:

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Example script injection attack:

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack

Recommended fix that this PR implements:

https://docs.github.com/en/actions/security-guides/security-hardening-for-github-actions#using-an-intermediate-environment-variable

defenseunicorns / pkg

fix: use env var for PR title in commitlint workflow to prevent untrusted script injection #60

Description