ci: prevent command injection in prevent-deletion workflow

[Oreoxmt]

First-time contributors' checklist

• I've signed Contributor License Agreement that's required for repo owners to accept my contribution.

What is changed, added, or deleted? (Required)

Which TiDB Operator version(s) do your changes apply to? (Required)

• main (the latest development version for v2.x)
• v2.0 (TiDB Operator 2.0 versions)
• release-1.x (the latest development version for v1.x)
• v1.6 (TiDB Operator 1.6 versions)
• v1.5 (TiDB Operator 1.5 versions)
• v1.4 (TiDB Operator 1.4 versions)
• v1.3 (TiDB Operator 1.3 versions)

What is the related PR or file link(s)?

• This PR is translated from:
• Other reference link(s):

[Copilot]

Pull request overview

This PR hardens the prevent-deletion GitHub Actions workflow by avoiding direct interpolation of PR-controlled values into shell commands, reducing command injection risk in a pull_request_target workflow.

Changes:

• Moves PR head metadata, token, and repository values into step-level environment variables.
• Quotes shell variable usage in Git, jq, and curl commands.
• Fetches full history so git diff --merge-base can resolve the correct merge base.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-05-26 05:55:11.409288415 +0000 UTC m=+331581.379453472: ☑️ agreed by qiancai.

[Oreoxmt]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Oreoxmt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Oreoxmt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-1.6: #3139.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-2.0: #3140.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-1.x: #3141.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-1.3: #3142.
But this PR has conflicts, please resolve them!

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-1.4: #3143.
But this PR has conflicts, please resolve them!

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-1.5: #3144.
But this PR has conflicts, please resolve them!