fix(ci): harden workflow security — prevent script injection and scope permissions

[jongio]

Summary

Harden CI workflow security by fixing two vulnerabilities identified during security audit.

Changes

1. Prevent script injection in update-azd-core.yml (CWE-77)

The update-azd-core.yml workflow used inline expression contexts to inject repository_dispatch payload values directly into shell commands. Since dispatch payloads are attacker-controlled, this enabled command injection.

Fix:

• Move all payload values into env: blocks and reference them as shell variables
• Strengthen version validation from ^v to strict semver: ^v[0-9]+.[0-9]+.[0-9]+(-[a-zA-Z0-9.]+)?$

2. Scope workflow permissions in website.yml (CWE-276)

The website.yml workflow declared contents: write and pull-requests: write at the workflow level, granting elevated permissions to all jobs — including the build job which only needs read access.

Fix:

• Remove workflow-level permissions
• Add job-level permissions: build gets read-only; deploy/cleanup jobs get write access

Testing

• All Go tests pass
• YAML syntax validated
• No functional changes to workflow behavior

Issues

Closes #95
Closes #97

[github-actions]

🚀 Website Preview

Your PR preview is ready!

📎 Preview URL: https://jongio.github.io/azd-exec/pr/99/

This preview will be automatically cleaned up when the PR is closed.