[Fix] Github Action possible command injection via unsanitised user input like review body and gti (#7569)

Co-authored-by: Vasyl Spachynskyi <vasyl.spachynskyi@dataart.com>

.github/workflows/openhands-resolver.yml

@@ -145,13 +145,15 @@ jobs:
           fi
 
       - name: Set environment variables
+        env:
+          REVIEW_BODY: ${{ github.event.review.body || '' }}
         run: |
           # Handle pull request events first
           if [ -n "${{ github.event.pull_request.number }}" ]; then
             echo "ISSUE_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
             echo "ISSUE_TYPE=pr" >> $GITHUB_ENV
           # Handle pull request review events
-          elif [ -n "${{ github.event.review.body }}" ]; then
+          elif [ -n "$REVIEW_BODY" ]; then
             echo "ISSUE_NUMBER=${{ github.event.pull_request.number }}" >> $GITHUB_ENV
             echo "ISSUE_TYPE=pr" >> $GITHUB_ENV
           # Handle issue comment events that reference a PR
@@ -164,7 +166,7 @@ jobs:
             echo "ISSUE_TYPE=issue" >> $GITHUB_ENV
           fi
 
-          if [ -n "${{ github.event.review.body }}" ]; then
+          if [ -n "$REVIEW_BODY" ]; then
             echo "COMMENT_ID=${{ github.event.review.id || 'None' }}" >> $GITHUB_ENV
           else
             echo "COMMENT_ID=${{ github.event.comment.id || 'None' }}" >> $GITHUB_ENV

.github/workflows/run-eval.yml

@@ -19,9 +19,10 @@ jobs:
           ref: ${{ github.head_ref }}
 
       - name: Trigger remote job
+        env:
+          PR_BRANCH: ${{ github.head_ref }}
         run: |
           REPO_URL="https://github.com/${{ github.repository }}"
-          PR_BRANCH="${{ github.head_ref }}"
           echo "Repository URL: $REPO_URL"
           echo "PR Branch: $PR_BRANCH"