fix: CI security issue

[Daanvdplas]

The issue identified by the Semgrep linter pertains to the use of variable interpolation with the github context in a run: step. Specifically, the use of ${{ github.event_name }} and other ${{ ... }} expressions could potentially allow an attacker to inject malicious code if they have control over the inputs or the GitHub event data. This is a common security concern in CI/CD pipelines where untrusted data can be executed in the shell.

To mitigate this risk, we can avoid direct interpolation of the github context data in the shell script and instead use environment variables that are safe and controlled. This can be done by explicitly setting the necessary values as environment variables before the run: command.

Here's the single line change to address the issue:

    run: | 
      RUNTIME=${{ github.event.inputs.runtime }} || RUNTIME=devnet; 
      if [[ "${{ github.event_name }}" == "workflow_dispatch" ]]; then 
        echo "RUNTIME=$RUNTIME" >> $GITHUB_ENV; 
      elif [[ "${{ github.event.release.tag_name }}" == devnet* ]]; then 
        echo "RUNTIME=devnet" >> $GITHUB_ENV; 
      elif [[ "${{ github.event.release.tag_name }}" == testnet* ]]; then 
        echo "RUNTIME=testnet" >> $GITHUB_ENV; 
      elif [[ "${{ github.event.release.tag_name }}" == mainnet* ]]; then 
        echo "RUNTIME=mainnet" >> $GITHUB_ENV; 
      else 
        echo "RUNTIME=devnet" >> $GITHUB_ENV; 
      fi

In this suggestion, we first set RUNTIME based on the workflow dispatch input or default to devnet, which is safer, and then use that variable in the condition checks.