chore: prevent code injection in visual snapshot step

[dtsanevmw]

Potential fix for https://github.com/vmware-clarity/ng-clarity/security/code-scanning/22

To fix the vulnerability, the untrusted value (steps.get-pr-event.outputs.sourceHeadBranch) should not be interpolated directly into the shell command. Instead, it should be passed into an environment variable using the workflow's env: syntax, and then referenced within the shell as "$SOURCE_HEAD_BRANCH". This ensures correct quoting and prevents code injection, as the shell will not interpret embedded metacharacters in the variable.

Specifically:

• In the job containing this step, introduce an environment variable (e.g., SOURCE_HEAD_BRANCH) set from ${{steps.get-pr-event.outputs.sourceHeadBranch}} before the step that runs the problematic shell command (git commit).
• In the problematic run: block (line 74), replace ${{steps.get-pr-event.outputs.sourceHeadBranch}} with "$SOURCE_HEAD_BRANCH".
• Do not use ${{ }} interpolation inside the shell script for untrusted inputs; use the shell variable.

No additional imports or external dependencies are required. The change should be made strictly in the workflow YAML, in the step specifying the git commit --message.

Suggested fixes powered by Copilot Autofix. Review carefully before merging.

[github-actions]

👋 @dtsanevmw,

• 🙏 The Clarity team thanks you for opening a pull request
• 🎉 The build for this PR has succeeded
• 🔍 The PR is now ready for review
• 🍿 In the meantime, view a preview of this PR or explore it in StackBlitz
• 🖐 You can always follow up here. If you're a VMware employee, you can also reach us on our internal Clarity Support space

Thank you,

🤖 Clarity Release Bot