Avoid evaluation of command substitution in input

[giordano]

In the body of the bash script, ${{ inputs }} parameters are often quoted with double quotes, which allow command substitution. This replaces double quotes with single quotes to prevent that and avoid command substitution.

First spotted in https://github.com/EnzymeAD/Reactant.jl/actions/runs/11603689684/job/32311135543#step:3:87. Note that the restore_key is set to

  restore_key="julia-cache;workflow=Format `main`;job=format;os=Linux;${matrix_key}"

Note the workflow is called literally Format `main`, which inside double quotes is evaluated, leading to an error in this case, but it opens the door to arbitrary code execution just by tweaking the workflow name.

[omus]

An alternate solution would be to environmental variables for each input which allows the use of double quotes still.

env:
  depot: ${{ inputs.depot }}

I'm fine with the single-quote fix here but I do think we need a comment about it in action.yaml so we don't accidentally re-introduce double-quotes.

[omus]

opens the door to arbitrary code execution just by tweaking the workflow name.

If we're concerned about this then I don't think even single quotes will work as an attacker could escape the single quotes as well:

$ echo ''`curl -fsSL httpbin.org/headers`''
{ "headers": { "Accept": "*/*", "Host": "httpbin.org", "User-Agent": "curl/8.4.0", "X-Amzn-Trace-Id": "Root=1-67253d14-2e9e98a86356666d2b9009ff" } }

Assigning inputs to env first (either globally or per step) should avoid this.