ci(smoke-test): pass workflow inputs through env vars

[wyattjoh]

Summary

• Move inputs.preset, inputs.version, matrix.docker, and matrix.bin from inline ${{ ... }} template substitution in run: blocks to env: bindings, so shell interpolation happens after expansion rather than before.
• Defense-in-depth: the upstream gate in release.yml already restricts issue_comment triggers to MEMBER/OWNER actors, but the pattern is cheap to follow and eliminates the rule entirely.
• Closes CodeQL actions/code-injection/critical alert on the smoke-test version check.

Test plan

• Smoke-test workflow runs green against an existing release (or canary) job

[changeset-bot]

⚠️ No Changeset found

Latest commit: ac671af

Merging this PR will not cause a version bump for any packages. If these changes should not result in a new version, you're good to go. If these changes should result in a version bump, you need to add a changeset.

This PR includes no changesets

When changesets are added to this PR, you'll see the packages that this PR includes changesets for and the associated semver types

Click here to learn what changesets are, and how to add one.

Click here if you're a maintainer who wants to add a changeset to this PR

[wyattjoh]

Stack: security-codeql-fixes

• fix(pkce): use rejection sampling to remove modulo bias #171
• ci: pin GITHUB_TOKEN to contents:read in all workflows #172
• ci(smoke-test): pass workflow inputs through env vars #173 👈 this PR

Part of a stacked PR chain. Do not merge manually.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: ad2a2a50-2acb-4e2a-9d7b-7bd16c509e2d

📥 Commits

Reviewing files that changed from the base of the PR and between 1c2041e and ac671af.

📒 Files selected for processing (1)

• .github/workflows/smoke-test.yml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/smoke-test.yml

---

📝 Walkthrough

Walkthrough

The GitHub Actions workflow .github/workflows/smoke-test.yml was modified to export preset/version/container/bin values into bash via environment variables instead of embedding ${{ ... }} directly in run scripts. In resolve-matrix, PRESET is assigned from inputs.preset, the case switches on "$PRESET", and the unknown-preset error reports $PRESET. In smoke-test, EXPECTED, DOCKER_IMAGE, and BIN are set from inputs/matrix values; script branches either run docker run "$DOCKER_IMAGE" "/work/$BIN --version" or execute "$BIN" --version, and version messages/errors reference $EXPECTED.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: moving workflow inputs from inline template substitution to environment variables in the smoke-test CI workflow.
Description check	✅ Passed	The description clearly relates to the changeset, explaining the specific refactoring of how workflow inputs are passed and the security improvement (CodeQL alert closure) it achieves.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}