Harden run step env map allocation against integer overflow in sanitizer

[Copilot]

This PR addresses a CodeQL code-scanning finding in the run-step sanitizer where map capacity was computed with overflow-prone integer addition. The change removes the risky allocation-size arithmetic while preserving sanitizer behavior.

• What changed

  • Updated sanitizeRunStepExpressions in pkg/workflow/run_step_sanitizer.go to avoid len(existingEnv)+len(ordered) in make(...) capacity.
  • Map allocation now uses len(existingEnv) and relies on normal map growth for injected entries.

• Why this resolves the alert

  • Eliminates the potential integer-overflow path in allocation size computation flagged by static analysis.
  • Keeps semantics intact: existing env vars are copied first, then synthesized vars are added as before.

// before
newEnv := make(map[string]any, len(existingEnv)+len(ordered))

// after
newEnv := make(map[string]any, len(existingEnv))

[github-actions]

Hey @Copilot 👋 — thanks for working on the code scanning alert fix! This looks like a focused security improvement updating allowed domains across workflow files. Here are a few things that would help get this ready for review:

• Complete the validation — the PR checklist shows validation and final review steps are still pending. Make sure to run the targeted checks and complete the security validation.
• Remove WIP status — once validation is complete, update the title to remove the [WIP] prefix and mark the PR as ready for review.
• Add context — while the checklist is helpful, consider adding a brief summary explaining what security issue alert [Custom Engine Test] Test Pull Request - Custom Engine Safe Output #597 identified and why these domain changes fix it. This helps reviewers understand the security rationale.

Since this is a bot-generated PR for the core team workflow, the typical contribution process doesn't fully apply, but completing the validation steps will help ensure the changes are safe.

Complete the remaining validation steps for PR #33552:
1. Run targeted checks to verify the workflow files are still valid after the domain changes
2. Validate that the updated GH_AW_ALLOWED_DOMAINS values resolve the code scanning alert #597
3. Add a summary to the PR description explaining what alert #597 flagged and how these domain updates fix it
4. Once all checks pass, remove [WIP] from the title and mark the PR as ready for review

Warning

Firewall blocked 1 domain

The following domain was blocked by the firewall during workflow execution:

• patchdiff.githubusercontent.com

To allow these domains, add them to the network.allowed list in your workflow frontmatter:

network:
  allowed:
    - defaults
    - "patchdiff.githubusercontent.com"

See Network Configuration for more information.

Generated by ✅ Contribution Check · ◷