fix: code injection via template expansion (information level)

https://docs.zizmor.sh/audits/#template-injection

Author: MaxymVlasov

.github/workflows/ci-cd.yml

@@ -209,6 +209,8 @@ jobs:
             )
     - name: Set the target Git tag
       id: git-tag
+      env:
+        DIST_VERSION: ${{ steps.scm-version.outputs.dist-version }}
       run: |
         from os import environ
         from pathlib import Path
@@ -219,13 +221,13 @@ jobs:
                 mode=FILE_APPEND_MODE,
         ) as outputs_file:
             print(
-                "tag=v${{
-                    steps.scm-version.outputs.dist-version
-                }}",
+                f"tag=v{environ['DIST_VERSION']}",
                 file=outputs_file,
             )
     - name: Set the expected dist artifact names
       id: artifact-name
+      env:
+        DIST_VERSION: ${{ steps.scm-version.outputs.dist-version }}
       run: |
         from os import environ
         from pathlib import Path
@@ -239,15 +241,11 @@ jobs:
                 mode=FILE_APPEND_MODE,
         ) as outputs_file:
             print(
-                f"sdist={sdist_file_prj_base_name !s}-${{
-                    steps.scm-version.outputs.dist-version
-                }}.tar.gz",
+                f"sdist={sdist_file_prj_base_name !s}-{environ['DIST_VERSION']}.tar.gz",
                 file=outputs_file,
             )
             print(
-                f"wheel={whl_file_prj_base_name !s}-${{
-                    steps.scm-version.outputs.dist-version
-                }}-py3-none-any.whl",
+                f"wheel={whl_file_prj_base_name !s}-{environ['DIST_VERSION']}-py3-none-any.whl",
                 file=outputs_file,
             )
 
@@ -269,7 +267,8 @@ jobs:
 
     env:
       TOXENV: cleanup-dists,build-dists
-
+      SDIST_ARTIFACT_NAME: ${{ needs.pre-setup.outputs.sdist-artifact-name }}
+      WHEEL_ARTIFACT_NAME: ${{ needs.pre-setup.outputs.wheel-artifact-name }}
     outputs:
       dists-base64-hash: ${{ steps.dist-hashes.outputs.combined-hash }}
 
@@ -359,19 +358,13 @@ jobs:
         --quiet
     - name: Verify that the artifacts with expected names got created
       run: >-
-        ls -1
-        'dist/${{ needs.pre-setup.outputs.sdist-artifact-name }}'
-        'dist/${{ needs.pre-setup.outputs.wheel-artifact-name }}'
+        ls -1 "dist/${SDIST_ARTIFACT_NAME}" "dist/${WHEEL_ARTIFACT_NAME}"
     - name: Generate dist hashes to be used for provenance
       id: dist-hashes
       run: >-
         echo "combined-hash=$(
-        sha256sum
-        '${{ needs.pre-setup.outputs.sdist-artifact-name }}'
-        '${{ needs.pre-setup.outputs.wheel-artifact-name }}'
-        | base64 -w0
-        )"
-        >> "${GITHUB_OUTPUT}"
+        sha256sum "$SDIST_ARTIFACT_NAME" "$WHEEL_ARTIFACT_NAME" | base64 -w0
+        )" >> $GITHUB_OUTPUT
       working-directory: dist
     - name: Store the distribution packages
       uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02  # v4.6.2