fix: extract 1 unsafe expression(s) to env vars

[dagecko]

This is a re-submission of #21555, which was closed due to a branch issue on my end. Same fixes, apologies for the noise.

Security: Harden GitHub Actions workflows

Hey, I found some CI/CD security issues in this repo's GitHub Actions workflows. These are the same vulnerability classes that were exploited in the tj-actions/changed-files supply chain attack. I've been reviewing repos that are affected and submitting fixes where I can.

This PR applies mechanical fixes and flags anything else that needs a manual look. Happy to answer any questions.

Fixes applied

Rule	Severity	File	Description
RGS-002	high	.github/workflows/teardown-pr-preview.yml	Extracted 1 unsafe expression(s) to env vars

Additional findings (manual review recommended)

| Rule | Severity | File | Description |
| RGS-004 | high | .github/workflows/pr-preview.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-preview.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-preview.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-preview.yml | Comment-Triggered Workflow Without Author Authorization Check |
| RGS-004 | high | .github/workflows/pr-preview.yml | Comment-Triggered Workflow Without Author Authorization Check |

Why this matters

GitHub Actions workflows that use untrusted input in run: blocks or reference unpinned third-party actions are vulnerable to code injection and supply chain attacks. These are the same vulnerability classes exploited in the tj-actions/changed-files incident which compromised CI secrets across thousands of repositories.

How to verify

Review the diff, each change is mechanical and preserves workflow behavior:

• Expression extraction: Moves ${{ }} expressions from run: blocks into env: mappings, preventing shell injection

---

If this PR is not welcome, just close it and I won't send another.

[echarts-bot]

Thanks for your contribution!
The community will review it ASAP. In the meanwhile, please checkout the coding standard and Wiki about How to make a pull request.

Please DO NOT commit the files in dist, i18n, and ssr/client/dist folders in a non-release pull request. These folders are for release use only.

To reviewers: If this PR is going to be described in the changelog in the future release, please make sure this PR has one of the following labels: PR: doc ready, PR: awaiting doc, PR: doc unchanged

This message is shown because the PR description doesn't contain the document related template.

[dagecko]

Let me know if you have any questions

[echarts-bot]

Congratulations! Your PR has been merged. Thanks for your contribution! 👍

[dagecko]

Hey, thanks again for merging this. I was doing some additional validation against the CodeQL envvar-injection-critical guidance (https://codeql.github.com/codeql-query-help/actions/actions-envvar-injection-critical/) and noticed ${SURGE_TOKEN} on the teardown line should be quoted as "${SURGE_TOKEN}" for completeness. Minor one, just flagging it for your awareness.

• Chris