Fix potential sources of code injection via template expansion

Xref https://woodruffw.github.io/zizmor/audits/#template-injection

Author: weiji14

.github/workflows/check-links.yml

@@ -76,7 +76,8 @@ jobs:
       if: env.lychee_exit_code != 0
       run: |
         cd repository/
-        title="Link Checker Report on ${{ steps.date.outputs.date }}"
+        title="Link Checker Report on ${CURRENT_DATE}"
         gh issue create --title "$title" --body-file /tmp/lychee-out.md
       env:
         GH_TOKEN: ${{ github.token }}
+        CURRENT_DATE: ${{ steps.date.outputs.date }}

.github/workflows/ci_docs.yml

@@ -162,10 +162,11 @@ jobs:
         if: github.event_name == 'push' && matrix.os == 'ubuntu-latest'
 
       - name: Upload the HTML ZIP archive and PDF as release assets
-        run: gh release upload ${{ github.ref_name }} doc/_build/pygmt-docs.zip doc/_build/pygmt-docs.pdf
+        run: gh release upload ${REF_NAME} doc/_build/pygmt-docs.zip doc/_build/pygmt-docs.pdf
         if: github.event_name == 'release' && matrix.os == 'ubuntu-latest'
         env:
           GH_TOKEN: ${{ github.token }}
+          REF_NAME: ${{ github.ref_name }}
 
       - name: Checkout the gh-pages branch
         uses: actions/checkout@v4.2.2

.github/workflows/ci_tests_dev.yaml

@@ -109,7 +109,7 @@ jobs:
           mkdir build
           cd build
           cmake -G Ninja .. \
-            -DCMAKE_INSTALL_PREFIX=${{ env.GMT_INSTALL_DIR }} \
+            -DCMAKE_INSTALL_PREFIX=${GMT_INSTALL_DIR} \
             -DCMAKE_BUILD_TYPE=Release \
             -DGMT_ENABLE_OPENMP=TRUE \
             -DGMT_USE_THREADS=TRUE
@@ -129,7 +129,7 @@ jobs:
           cd build
           call "C:\Program Files\Microsoft Visual Studio\2022\Enterprise\VC\Auxiliary\Build\vcvars64.bat"
           cmake -G Ninja .. ^
-            -DCMAKE_INSTALL_PREFIX=${{ env.GMT_INSTALL_DIR }} ^
+            -DCMAKE_INSTALL_PREFIX=${GMT_INSTALL_DIR} ^
             -DCMAKE_BUILD_TYPE=Release ^
             -DCMAKE_PREFIX_PATH=${{ env.MAMBA_ROOT_PREFIX }}\envs\pygmt\Library ^
             -DGMT_ENABLE_OPENMP=TRUE ^

.github/workflows/dvc-diff.yml

@@ -56,6 +56,7 @@ jobs:
     - name: Generate the image diff report
       env:
         repo_token: ${{ github.token }}
+        PR_HEAD_SHA: ${{ github.event.pull_request.head.sha }}
       run: |
         echo -e "## Summary of changed images\n" > report.md
         echo -e "This is an auto-generated report of images that have changed on the DVC remote\n" >> report.md
@@ -97,7 +98,7 @@ jobs:
         echo -e "</details>\n" >> report.md
 
         # Mention git commit SHA in the report
-        echo -e "Report last updated at commit ${{ github.event.pull_request.head.sha }}" >> report.md
+        echo -e "Report last updated at commit ${PR_HEAD_SHA}" >> report.md
 
         # create/update PR comment
         cml comment update report.md

.github/workflows/release-baseline-images.yml

@@ -41,6 +41,7 @@ jobs:
         shasum -a 256 baseline-images.zip
 
     - name: Upload baseline image as a release asset
-      run: gh release upload ${{ github.ref_name }} baseline-images.zip
+      run: gh release upload ${REF_NAME} baseline-images.zip
       env:
         GH_TOKEN: ${{ github.token }}
+        REF_NAME: ${{ github.ref_name }}