fix: use deploy environment for build job and replace ref with sha to prevent TOCTOU

based on feedback from security folks

Signed-off-by: jmeridth <jmeridth@gmail.com>
Co-authored-by: Kylie Stradley <4666485+KyFaSt@users.noreply.github.com>

Author: jmeridth

.github/workflows/jekyll-preview.yml

@@ -17,11 +17,13 @@ permissions:
 # Allow only one concurrent deployment per PR, skipping runs queued between the run in-progress and latest queued.
 # However, do NOT cancel in-progress runs as we want to allow these production deployments to complete.
 concurrency:
-  group: 'pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}'
+  group: "pages-preview @ ${{ github.event.pull_request.head.label || github.head_ref || github.ref }}"
   cancel-in-progress: false
 jobs:
   # Build job
   build:
+    environment:
+      name: "Pages Preview"
     # Limit permissions of the GITHUB_TOKEN for untrusted code
     permissions:
       contents: read
@@ -31,7 +33,7 @@ jobs:
         uses: actions/checkout@eef61447b9ff4aafe5dcd4e0bbf5d482be7e7871 # v4
         with:
           # For PRs make sure to checkout the PR branch
-          ref: ${{ github.event.pull_request.head.ref }}
+          ref: ${{ github.event.pull_request.head.sha }}
           repository: ${{ github.event.pull_request.head.repo.full_name }}
       - name: Setup Pages
         uses: actions/configure-pages@983d7736d9b0ae728b81ab479565c72886d7745b # v5
@@ -46,7 +48,7 @@ jobs:
   # Deployment job
   deploy:
     environment:
-      name: 'Pages Preview'
+      name: "Pages Preview"
       url: ${{ steps.deployment.outputs.page_url }}
     # Sets permissions of the GITHUB_TOKEN to allow deployment to GitHub Pages
     permissions:
@@ -60,4 +62,4 @@ jobs:
         id: deployment
         uses: actions/deploy-pages@d6db90164ac5ed86f2b6aed7e0febac5b3c0c03e # v4
         with:
-          preview: 'true'
+          preview: "true"