Silence Codacy Bandit B105 false positive in executor leak test

[JE-Chen]

Summary

PR #61 added test_substitute_does_not_leak_into_result_key with a literal os.environ["FA_EXEC_SECRET"] = "TOP_SECRET" to verify substituted env values don't leak into result keys. Codacy/Bandit flagged this as B105 — Possible hardcoded password (PR #62 / dev → main blocked on it).

This is a test-only false positive — the literal is a deliberately recognisable sentinel, not a credential. Refactor instead of suppressing:

• Switch to pytest's monkeypatch (matching the existing pattern in test_substitution.py); auto-cleans, no try/finally needed.
• Rename env var so the key no longer contains "SECRET".
• Use a non-credential-looking sentinel value.

Behaviour under test is unchanged — still proves the un-substituted literal stays in the result key while the expanded value only reaches the callable.

Test plan

• pytest tests/test_action_executor.py — 13 passed locally
• Codacy clean on this PR
• CI matrix green

[codacy-production]

Up to standards ✅

🟢 Issues 0 issues

Results:
0 new issues

View in Codacy

🟢 Metrics 0 complexity · 0 duplication

Metric	Results
Complexity	0
Duplication	0

View in Codacy

_{NEW Get contextual insights on your PRs based on Codacy's metrics, along with PR and Jira context, without leaving GitHub. Enable AI reviewer
TIP This summary will be updated as you push new changes.}

[sonarqubecloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
0.0% Coverage on New Code
0.0% Duplication on New Code

See analysis details on SonarQube Cloud