fix: address second order command injection

[martin-georgiev]

Potential fix for https://github.com/Lendable/changed-files/security/code-scanning/1

How to generally fix the problem:
To fix this vulnerability, all user-controlled arguments that are used as git ref names or branch names should be validated or sanitized before being passed into any git command. Specifically, you should ensure that neither head.ref nor any other PR-controlled argument can start with - (which would treat the argument as a git option), and ideally check that it matches the allowed format for git ref names.

Single best way to fix:
Implement a function (e.g., isValidGitRef) that validates candidate branch names before using them as git arguments. The function should ensure:

• The value is non-empty.
• It does NOT start with -.
• It matches the allowed git refname pattern (e.g., not containing .., not ending with .lock, etc.) for increased robustness, but at minimum, prevent leading dashes.

Specific regions to change:

• In src/commitSha.ts: Before using any value from github.context.payload.pull_request?.head?.ref or ...gitFetchExtraArgs, ensure that each ref or extra arg is validated for safety.
• The most robust place to handle this is right before we call gitFetch or gitFetchSubmodules in getSHAForPullRequestEvent. Add a validation for the relevant variables (currentBranch, items in gitFetchExtraArgs), and throw an error if the check fails.

What is needed:

• Implement a function isSafeGitArg(val: string): boolean in src/utils.ts, just above the gitFetch function.
• In src/commitSha.ts, before passing currentBranch or anything from gitFetchExtraArgs to git, assert all are safe using isSafeGitArg. If an unsafe value is found, throw with a clear message.
• Import the function (if not in same module or file).

---

Suggested fixes powered by Copilot Autofix. Review carefully before merging.