chore(ci): fix sonarqube security warnings in helm.yml (#5202)

* chore(ci): fix sonarqube security warnings in helm.yml

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>

* (peer-review) use process substitution and limit file perms.

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>

---------

Signed-off-by: Erik Westra <e.s.westra.95@gmail.com>
Co-authored-by: Gergely Brautigam <skarlso777@gmail.com>

.github/workflows/helm.yml

@@ -101,9 +101,15 @@ jobs:
         run: make helm.generate
 
       - name: Import GPG key
+        env:
+          GPG_PRIVATE_KEY: ${{ secrets.GPG_PRIVATE_KEY }}
+          GPG_PASSPHRASE: ${{ secrets.GPG_PASSPHRASE }}
         run: |
-          echo "${{ secrets.GPG_PRIVATE_KEY }}" | gpg --dearmor --output keyring.gpg
-          echo -n "${{ secrets.GPG_PASSPHRASE }}" > passphrase-file.txt
+          gpg --dearmor --output keyring.gpg <(printf '%s' "$GPG_PRIVATE_KEY")
+          chmod 600 keyring.gpg
+
+          printf '%s' "$GPG_PASSPHRASE" > passphrase-file.txt
+          chmod 600 passphrase-file.txt
 
       - name: Run chart-releaser
         uses: helm/chart-releaser-action@cae68fefc6b5f367a0275617c9f83181ba54714f # v1.7.0