Hotfix/apicli 3534

[RohithSangati]

Summary

Pass PR_TITLE through a step-level env: block instead of interpolating
${{ steps.pr_title_var.outputs.PR_TITLE }} directly into the run: shell
commands of the Check pr_title outputs and Create Pull Request steps.

This removes a script-injection surface: upstream PR titles can contain
shell-special characters (backticks, $(), quotes, ;), and inline
expression substitution would inject them into the script. Passing via env:
keeps the value as an opaque environment variable.

No behavior change for typical titles.

Ticket - https://do-internal.atlassian.net/browse/APICLI-3534

[harshmaru7]

LGTM !
fix is correct — passing PR_TITLE through env: instead of inline ${{ }} interpolation eliminates the script injection vector

we can do in this in follow up PR since this is low risk - Line 86 still interpolates ${{ github.event.inputs.openapi_short_sha }} directly in a run: block (same pattern in lines 26, 34, 45, 71, 81, 97, 108), its low risk because workflow_dispatch inputs require repo write access, but moving them to env: blocks too would be consistent defense-in-depth. but should can be done later.

[RohithSangati]

LGTM ! fix is correct — passing PR_TITLE through env: instead of inline ${{ }} interpolation eliminates the script injection vector

we can do in this in follow up PR since this is low risk - Line 86 still interpolates ${{ github.event.inputs.openapi_short_sha }} directly in a run: block (same pattern in lines 26, 34, 45, 71, 81, 97, 108), its low risk because workflow_dispatch inputs require repo write access, but moving them to env: blocks too would be consistent defense-in-depth. but should can be done later.

@harshmaru7 Agree, We can address the remaining ${{ }} interpolations in a follow-up PR by moving them to env: blocks for consistency and improved defense-in-depth.