ci: prevent command injection in prevent-deletion workflow

[Oreoxmt]

First-time contributors' checklist

• I've signed the Contributor License Agreement, which is required for the repository owners to accept my contribution.

What is changed, added or deleted? (Required)

ci: prevent command injection in prevent-deletion workflow

Which TiDB version(s) do your changes apply to? (Required)

Tips for choosing the affected version(s):

By default, CHOOSE MASTER ONLY so your changes will be applied to the next TiDB major or minor releases. If your PR involves a product feature behavior change or a compatibility change, CHOOSE THE AFFECTED RELEASE BRANCH(ES) AND MASTER.

For details, see tips for choosing the affected versions.

• master (the latest development version)
• v9.0 (TiDB 9.0 versions)
• v8.5 (TiDB 8.5 versions)
• v8.1 (TiDB 8.1 versions)
• v7.5 (TiDB 7.5 versions)
• v7.1 (TiDB 7.1 versions)
• v6.5 (TiDB 6.5 versions)
• v6.1 (TiDB 6.1 versions)

What is the related PR or file link(s)?

• This PR is translated from:
• Other reference link(s):

Do your changes match any of the following descriptions?

• Delete files
• Change aliases
• Need modification after applied to another branch
• Might cause conflicts after applied to another branch

[gemini-code-assist]

Note

Gemini is unable to generate a review for this pull request due to the file types involved not being currently supported.

[Copilot]

Pull request overview

This PR updates the prevent-deletion GitHub Actions workflow (runs on pull_request_target) to reduce injection risk when handling pull request–provided values, and to generate check-run payloads more safely.

Changes:

• Quote PR-provided values by routing them through environment variables for git/curl usage.
• Replace echo-constructed JSON with jq -n JSON generation for the check-run payload.
• Adjust checkout/fetch behavior to ensure the head commit can be diffed reliably.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[ti-chi-bot]

[LGTM Timeline notifier]

Timeline:

• 2026-05-26 05:55:01.214504115 +0000 UTC m=+331571.184669169: ☑️ agreed by qiancai.

[Oreoxmt]

/approve

[ti-chi-bot]

[APPROVALNOTIFIER] This PR is APPROVED

This pull-request has been approved by: Oreoxmt

The full list of commands accepted by this bot can be found here.

The pull request process is described here

Details

Needs approval from an approver in each of these files:

• OWNERS [Oreoxmt]

Approvers can indicate their approval by writing /approve in a comment
Approvers can cancel approval by writing /approve cancel in a comment

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-6.5: #22929.
But this PR has conflicts, please resolve them!

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-7.1: #22930.
But this PR has conflicts, please resolve them!

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-7.5: #22931.
But this PR has conflicts, please resolve them!

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-8.1: #22932.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-8.5: #22933.

[ti-chi-bot]

In response to a cherrypick label: new pull request created to branch release-6.1: #22934.
But this PR has conflicts, please resolve them!