Fix security issues in site workflow - use env vars for untrusted input

Co-authored-by: slachiewicz <6705942+slachiewicz@users.noreply.github.com>

Author: Copilot

.github/workflows/site.yml

@@ -46,10 +46,14 @@ jobs:
       - name: Setup deploy
         id: setup
         if: github.event_name == 'push' && github.repository_owner == 'codehaus-plexus' && github.ref == 'refs/heads/source'
+        env:
+          COMMIT_EMAIL: ${{ github.event.head_commit.author.email }}
+          COMMIT_NAME: ${{ github.event.head_commit.author.name }}
+          COMMIT_ID: ${{ github.event.head_commit.id }}
         run: |
-          git config --global user.email "${{ github.event.head_commit.author.email }}"
-          git config --global user.name "${{ github.event.head_commit.author.name }}"
-          echo "deploy=-deploy -Dusername=git -Dpassword=${{ github.token }} -Dscmpublish.checkinComment='Site checkin for ${{ github.event.head_commit.id }}'" >> $GITHUB_OUTPUT
+          git config --global user.email "$COMMIT_EMAIL"
+          git config --global user.name "$COMMIT_NAME"
+          echo "deploy=-deploy -Dusername=git -Dpassword=${{ github.token }} -Dscmpublish.checkinComment='Site checkin for $COMMIT_ID'" >> "$GITHUB_OUTPUT"
 
       - name: Build with Maven
         run: mvn --show-version --errors --batch-mode --update-snapshots clean site${{ steps.setup.outputs.deploy }}