Verify branch-based workflow script injections don't work

Including code in the branch name and triggering a workflow run may result in arbitrary command execution due to github's templates not being escaped automatically.

See https://github.com/advisories/GHSA-7x29-qqmq-v6qc