fix(ci): Prevent command injection in ci-metadata workflow

Move GitHub context interpolation into an environment variable to prevent
potential command injection attacks. The github.event.pull_request.head.sha
and other GitHub context data can contain arbitrary user input and should
not be directly interpolated into shell scripts.

References:
- Parent ticket: https://linear.app/getsentry/issue/VULN-1328
- Child ticket: https://linear.app/getsentry/issue/JS-1972
- https://docs.github.com/en/actions/learn-github-actions/security-hardening-for-github-actions#understanding-the-risk-of-script-injections

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: fix-it-felix-sentry[bot]

.github/workflows/ci-metadata.yml

@@ -51,8 +51,10 @@ jobs:
         id: get_metadata
         # We need to try a number of different options for finding the head commit, because each kind of trigger event
         # stores it in a different location
+        env:
+          COMMIT_SHA_EXPR: ${{ github.event.pull_request.head.sha || github.event.head_commit.id || inputs.head_commit }}
         run: |
-          COMMIT_SHA=$(git rev-parse --short ${{ github.event.pull_request.head.sha || github.event.head_commit.id || inputs.head_commit }})
+          COMMIT_SHA=$(git rev-parse --short "$COMMIT_SHA_EXPR")
           echo "COMMIT_SHA=$COMMIT_SHA" >> $GITHUB_ENV
           echo "COMMIT_MESSAGE=$(git log -n 1 --pretty=format:%s $COMMIT_SHA)" >> $GITHUB_ENV