fix: harden shell interpolation in action workflows

[bolinfest]

Why

A user pointed out that the README pull request example interpolated ${{ github.event.pull_request.base.ref }} directly into a shell command. GitHub Actions expands ${{ ... }} expressions before the shell runs, so copying that pattern into a workflow can let attacker-controlled values such as branch names break shell syntax and execute arbitrary commands.

This change hardens both the published examples and the composite action itself so we are not shipping that pattern to users.

What changed

• updated the README pull request review example to pass PR metadata through env: and consume it as quoted shell variables
• added guidance to docs/security.md explaining why direct ${{ ... }} interpolation inside run: blocks is unsafe
• hardened action.yml so action inputs and step outputs are passed into shell steps through environment variables instead of being spliced directly into commands
• updated examples/test-sandbox-protections.yml to use the same safe pattern

Verification

• re-scanned this repository for attacker-controlled GitHub expressions or action inputs interpolated directly into run: blocks
• parsed action.yml and examples/test-sandbox-protections.yml with Ruby YAML.load_file to confirm the edited workflow files still parse