fix(workflows): Prevent script injection in sentry_dogfood workflow

[fix-it-felix-sentry]

Summary

Fixes script injection vulnerability in the Sentry Dogfood workflow by moving GitHub context variables to environment variables instead of direct interpolation in run scripts.

Details

This PR addresses a High severity security finding where GitHub context data was being directly interpolated in run: steps, which could allow attackers to inject malicious code through untrusted input (e.g., PR titles, branch names, etc.).

Changes Made:

• ✅ Moved all GitHub context variables to env: block for both iOS and Android upload steps
• ✅ Updated script references to use environment variables with double quotes
• ✅ Applied the same pattern to both pull_request and push event contexts
• ✅ Properly quoted all variable references to prevent injection

Security Impact:

The vulnerability allowed potential code injection through:

• github.event.pull_request.head.sha
• github.event.pull_request.base.sha
• github.repository
• github.head_ref
• github.base_ref
• github.event.number
• github.sha
• github.ref_name
• github.event_name

By moving these to environment variables, GitHub Actions evaluates them only once during the env block processing, preventing injection attacks.

Related Issues

• Parent ticket: https://linear.app/getsentry/issue/VULN-1590
• Child ticket: https://linear.app/getsentry/issue/EME-1088

References

• Semgrep Rule
• GitHub Actions Security Hardening
• GitHub Security Lab Research

[linear-code]

EME-1088 Command Injection vulnerabilities in getsentry/launchpad in 2 locations

[sentry]

📲 Install Builds

Android

🔗 App Name	App ID	Version	Configuration
Hacker News	com.emergetools.hackernews	1.0.2 (13)	Release

⚙️ launchpad-test-android Build Distribution Settings

[runningcode]

closing in favor of #608