Harden workflows against script injection

[jeremy]

Summary

• Fix script injection via AI model output in labeler workflow (use response-file, structured JSON output, env vars for PR numbers)
• Fix $GITHUB_ENV injection in release changelog step (use file-based approach)
• Remove secrets:inherit, add explicit secret declarations
• Move ref names and commit SHAs out of shell interpolation
• Add environment gate on sync-skills job
• Narrow permissions from workflow-level to per-job
• Apply all fixes to seed templates

Context

Security audit of GitHub Actions workflows identified script injection vectors where ${{ }} expressions are interpolated by the Actions runner before bash executes. This PR eliminates all identified injection paths in both the repo workflows and seed templates.

[Copilot]

Pull request overview

This PR systematically hardens GitHub Actions workflows against script injection vulnerabilities by moving all ${{ }} expression interpolations out of run: shell scripts and into env: blocks, switching AI model output to structured JSON format (with a response-file-based approach instead of writing to $GITHUB_ENV), narrowing permissions from workflow-level to per-job, replacing secrets: inherit with explicit secret declarations, and adding environment gates to sensitive jobs.

Changes:

• Injection vector remediation: All ${{ }} expressions previously interpolated directly in run: steps are moved to env: variables, covering tokens, PR numbers, commit SHAs, ref names, run IDs, and AI response files across all workflows.
• AI model output hardening: The classify-pr prompt now enforces a structured JSON schema response instead of a free-form single word, with file-based response passing instead of $GITHUB_ENV heredoc injection. GoReleaser changelog step likewise uses a file path output instead of $GITHUB_ENV.
• Permissions and secrets scoping: Workflow-level permissions blocks are removed and replaced with per-job declarations; secrets: inherit is replaced with explicit secret passing.

Reviewed changes

Copilot reviewed 8 out of 8 changed files in this pull request and generated 2 comments.

Show a summary per file

File	Description
.github/workflows/release.yml	Removed workflow-level permissions/secrets; moved ${{ github.sha }} and ref/changelog expressions to env: blocks; added environment: release to sync-skills; moved sync-skills env vars to env: block
.github/workflows/ai-labeler.yml	Moved PR number and response-file references to env: blocks; replaced steps.classify.outputs.response with file-based response-file output
.github/prompts/classify-pr.prompt.yml	Changed system prompt to request JSON response; added responseFormat with json_schema enforcement
seed/.github/workflows/test.yml	Moved app token interpolation to env: block in all 7 "Configure git for private modules" steps
seed/.github/workflows/security.yml	Added explicit secrets: block to workflow_call trigger; moved app token to env: block in gosec and codeql jobs
seed/.github/workflows/release.yml	Removed workflow-level permissions; added per-job permissions; replaced secrets: inherit with explicit secret; moved all expression interpolations to env: blocks; split GoReleaser into install+run; replaced $GITHUB_ENV heredoc approach with file-path output
seed/.github/workflows/ai-labeler.yml	Moved PR number and response-file references to env: blocks; replaced steps.classify.outputs.response with file-based approach
seed/.github/prompts/classify-pr.prompt.yml	Same as the non-seed counterpart: JSON response format with json_schema schema

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.