fix(pnpm-install): keep github-registry-token off disk (#279)

The token previously landed in ~/.npmrc as plain text, where any later
step in the same job could read it — a regression vs the npm pattern
this action replaced.

Instead, write the literal template '${GITHUB_REGISTRY_TOKEN}' into
~/.npmrc (single quotes, no shell expansion) and inject the env var
only for the install step. pnpm expands the template at registry-fetch
time; once the install step exits, the env var is gone and ~/.npmrc
holds an unusable template — later steps cannot exfiltrate the token.

Reported by František on the apify-core pnpm migration review.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: B4nan

pnpm-install/action.yaml

@@ -38,17 +38,22 @@ runs:
         run_install: false
         package_json_file: ${{ inputs.working-directory }}/package.json
 
-    # `npm` is always available on the runner via setup-node; using it here
-    # avoids ordering issues (corepack-managed pnpm isn't on PATH at every
-    # step) and writes the token into the user-global ~/.npmrc that pnpm
-    # also reads during install.
+    # Write a *template* (the literal string `${GITHUB_REGISTRY_TOKEN}`) into
+    # ~/.npmrc, NOT the expanded token. Using single quotes here is load-
+    # bearing — they prevent the shell from expanding the variable, so the
+    # actual token never lands on disk. pnpm/npm expand the template at
+    # registry-fetch time, reading the env var that we inject only for the
+    # install step below. Once that step finishes the env var is gone and
+    # ~/.npmrc holds an unusable template, so later steps in the same job
+    # cannot exfiltrate the token.
+    #
+    # `npm` is always available on the runner via setup-node and is used
+    # here only because corepack-managed pnpm isn't on PATH at every step.
     - name: Configure GitHub npm registry auth
       if: inputs.github-registry-token != ''
       shell: bash
-      env:
-        GITHUB_REGISTRY_TOKEN: ${{ inputs.github-registry-token }}
       run: |
-        npm config set "//npm.pkg.github.com/:_authToken=${GITHUB_REGISTRY_TOKEN}"
+        npm config set '//npm.pkg.github.com/:_authToken=${GITHUB_REGISTRY_TOKEN}'
 
     - name: Expose pnpm config(s) through "$GITHUB_OUTPUT"
       id: pnpm-config
@@ -70,10 +75,14 @@ runs:
         restore-keys: |
           ${{ runner.os }}-pnpm-store-cache-${{ steps.cache-rotation.outputs.YEAR_MONTH }}-
 
+    # GITHUB_REGISTRY_TOKEN is exposed only for this step. The .npmrc
+    # template written above expands it at registry-fetch time, then it's
+    # gone — no plaintext token ends up on disk for later steps to read.
     - name: Install dependencies
       shell: bash
       working-directory: ${{ inputs.working-directory }}
       run: |
         pnpm install --frozen-lockfile --prefer-offline --loglevel error
       env:
         HUSKY: "0"
+        GITHUB_REGISTRY_TOKEN: ${{ inputs.github-registry-token }}