Move github.event.pull_request.user.login and github.head_ref from
direct interpolation in run: blocks to env: variables. This prevents
potential command injection via crafted branch names or usernames.

Flagged by Semgrep SAST (p/security-audit).

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>