Fix code injection warnings in check-codescanning-config internal Action

[angelapwen]

• Use environment variable for EXPECTED_CONFIG_FILE_CONTENTS to escape any injected input
• Use $RUNNER_TEMP rather than ${{ runner.temp }} for good measure, even though runner.temp should not be user-controlled input anyway.

Merge / deployment checklist

• Confirm this change is backwards compatible with existing workflows.
• Confirm the readme has been updated if necessary.
• Confirm the changelog has been updated if necessary.

[Copilot]

PR Overview

This PR fixes code injection warnings in the check-codescanning-config Action by switching to environment variables and safer temporary directory references.

• Replace user-supplied inline inputs with environment variables for improved security.
• Update temporary directory references to use $RUNNER_TEMP.

Reviewed Changes

File	Description
.github/actions/check-codescanning-config/action.yml	Updated to use environment variable EXPECTED_CONFIG_FILE_CONTENTS and $RUNNER_TEMP for file paths in commands and cleanup steps.

Copilot reviewed 1 out of 1 changed files in this pull request and generated 1 comment.

Tip: If you use Visual Studio Code, you can request a review from Copilot before you push from the "Source Control" tab. Learn more

[aeisenberg]

See copilot's comment.

[aeisenberg]

Oh...now it looks like the tests need to be updated. I'm not sure if this is a semantic change or just some artifact of how the quoting has changed.

[angelapwen]

Hrm.. looks like the "{}" input is now being parsed as undefined. Let me try to debug..

[angelapwen]

Okay, figured it out... I had declared the environment variable in the wrong block 🤦