fix: github workflow vulnerable to script injection

fix: github workflow vulnerable to script injection #5045