fix Shell command built from environment values

[odaysec]

https://github.com/Shopify/cli/blob/fe5568a39f42c252adf9fc204d5ce3d6947a933c/bin/pin-github-actions.js#L32-L32

fix the issue replace the use of exec with execFile, which allows us to pass arguments to the command as an array, avoiding the need to construct a shell command string. This approach ensures that special characters in filenames or other inputs are properly escaped and do not alter the behavior of the command.

Specifically:

1. Replace the dynamic shell command string on line 32 with a call to execFile.
2. Pass the GH_ADMIN_TOKEN environment variable explicitly using the env option of execFile.
3. Pass the remaining arguments (pinGithubAction, githubYml, and flags) as an array to execFile.

References

Command Injection CWE-78 CWE-88

Measuring impact

How do we know this change was effective? Please choose one:

• [ ] n/a - this doesn't need measurement, e.g. a linting rule or a bug-fix
• [ ] Existing analytics will cater for this addition
• [x] PR includes analytics changes to measure impact

Checklist

• [x] I've considered possible cross-platform impacts (Mac, Linux, Windows)
• [x] I've considered possible documentation changes

[odaysec]

/cla run

[github-actions[bot]]

This PR seems inactive. If it's still relevant, please add a comment saying so. Otherwise, take no action. → If there's no activity within a week, then a bot will automatically close this. Thanks for helping to improve Shopify's dev tooling and experience.