workflows/ci: fix template-injection zizmor findings

[samford]

Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process.

In the following questions <cask> is the token of the cask you're submitting.

After making any changes to a cask, existing or new, verify:

• The submission is for a stable version or documented exception.
• brew audit --cask --online <cask> is error-free.
• brew style --fix <cask> reports no offenses.

Additionally, if adding a new cask:

• Named the cask according to the token reference.
• Checked the cask was not already refused (add your cask's name to the end of the search field).
• brew audit --cask --new <cask> worked successfully.
• HOMEBREW_NO_INSTALL_FROM_API=1 brew install --cask <cask> worked successfully.
• brew uninstall --cask <cask> worked successfully.

---

This updates workflows/ci.yml to use environment variables to
address a template-injection error and similar info output from zizmor.

I've added # shellcheck disable=SC2086 comments in a few places where shellcheck wanted quotes but the strings consist of space-separated packages:

ci.yml:194:9: shellcheck reported issue in this script: SC2086:info:1:26: Double quote to prevent globbing and word splitting [shellcheck]
    |
194 |         run: |
    |         ^~~~
ci.yml:202:9: shellcheck reported issue in this script: SC2086:info:1:23: Double quote to prevent globbing and word splitting [shellcheck]
    |
202 |         run: |
    |         ^~~~
ci.yml:240:9: shellcheck reported issue in this script: SC2086:info:1:23: Double quote to prevent globbing and word splitting [shellcheck]
    |
240 |         run: |
    |         ^~~~

Adding quotes in those instances would cause brew to interpret something like "one two three" as one package with that name instead of three packages. If there's a better way to handle this, let me know.

As with my other recent actions PRs, I'm not very knowledgeable about GitHub Actions, so I've created this as a draft until more knowledgeable maintainers have a chance to review this and catch any mistakes.

[samford]

Seeing some CI failures with a few of these changes:

Error: The template is not valid. .github/workflows/ci.yml (Line: 193, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 202, Col: 27): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 241, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

[bayandin]

You, probably, need to get this from env, like ENV.fetch("SNAPSHOT_BEFORE")

[samford]

Ah yeah, I wasn't sure if there was any magic interpolation that would happen but that makes sense.

I've updated this to use JSON.parse(ENV.fetch("SNAPSHOT_BEFORE", "{}")).transform_keys(&:to_sym) but for some reason before ends up being nil even though SNAPSHOT_BEFORE is clearly set on CI (e.g., https://github.com/Homebrew/homebrew-cask/actions/runs/12365165225/job/34509690180?pr=195318).

[bayandin]

Hmm, I don't see anything obvious 🤷
I'd add a couple of debug puts/env(1) to see what's missing.

[bayandin]

Seeing some CI failures with a few of these changes:

Error: The template is not valid. .github/workflows/ci.yml (Line: 193, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 202, Col: 27): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 241, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

In https://github.com/Homebrew/homebrew-cask/actions/runs/12342912865/job/34443307830?pr=195318

I suspect "Gather cask information" step got skipped, so some variables weren't set, and in the next steps, they're used in env: (with proposed changes, the evaluation happens earlier)