workflows/ci: fix template-injection zizmor findings

[samford]

Important: Do not tick a checkbox if you haven’t performed its action. Honesty is indispensable for a smooth review process.

In the following questions <cask> is the token of the cask you're submitting.

After making any changes to a cask, existing or new, verify:

• The submission is for a stable version or documented exception.
• brew audit --cask --online <cask> is error-free.
• brew style --fix <cask> reports no offenses.

Additionally, if adding a new cask:

• Named the cask according to the token reference.
• Checked the cask was not already refused (add your cask's name to the end of the search field).
• brew audit --cask --new <cask> worked successfully.
• HOMEBREW_NO_INSTALL_FROM_API=1 brew install --cask <cask> worked successfully.
• brew uninstall --cask <cask> worked successfully.

---

This updates workflows/ci.yml to use environment variables to
address a template-injection error and similar info output from zizmor.

I've added # shellcheck disable=SC2086 comments in a few places where shellcheck wanted quotes but the strings consist of space-separated packages:

ci.yml:194:9: shellcheck reported issue in this script: SC2086:info:1:26: Double quote to prevent globbing and word splitting [shellcheck]
    |
194 |         run: |
    |         ^~~~
ci.yml:202:9: shellcheck reported issue in this script: SC2086:info:1:23: Double quote to prevent globbing and word splitting [shellcheck]
    |
202 |         run: |
    |         ^~~~
ci.yml:240:9: shellcheck reported issue in this script: SC2086:info:1:23: Double quote to prevent globbing and word splitting [shellcheck]
    |
240 |         run: |
    |         ^~~~

Adding quotes in those instances would cause brew to interpret something like "one two three" as one package with that name instead of three packages. If there's a better way to handle this, let me know.

As with my other recent actions PRs, I'm not very knowledgeable about GitHub Actions, so I've created this as a draft until more knowledgeable maintainers have a chance to review this and catch any mistakes.

[samford]

Seeing some CI failures with a few of these changes:

Error: The template is not valid. .github/workflows/ci.yml (Line: 193, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 202, Col: 27): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 241, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

[bayandin]

Seeing some CI failures with a few of these changes:

Error: The template is not valid. .github/workflows/ci.yml (Line: 193, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 202, Col: 27): Error reading JToken from JsonReader. Path '', line 0, position 0.

Error: The template is not valid. .github/workflows/ci.yml (Line: 241, Col: 30): Error reading JToken from JsonReader. Path '', line 0, position 0.

In https://github.com/Homebrew/homebrew-cask/actions/runs/12342912865/job/34443307830?pr=195318

I suspect "Gather cask information" step got skipped, so some variables weren't set, and in the next steps, they're used in env: (with proposed changes, the evaluation happens earlier)

[samford]

Nothing blew up when I ran this with a version bump commit (https://github.com/Homebrew/homebrew-cask/actions/runs/12505907895), so I think this is finally in a working state. There's some precedent for using the HOMEBREW_ prefix to work around the environment filtering (https://github.com/Homebrew/homebrew-core/blob/c315e9ff988b75b7f0f21f28ca625ff6ad577032/.github/workflows/scheduled.yml#L172), so this is probably fine for now.

I've marked this as ready for review and it would be helpful for folks who are more familiar with the cask CI setup to look over these changes.

[bevanjkay]

Looks good to me

@samford we can test the SNAPSHOT_BEFORE logic by testing google-drive as it should always fail CI with the default.