ci: fix semgrep reported run-shell-injection (#764)

Author: oakrizan

.github/workflows/gradle-goal/action.yml

@@ -29,5 +29,7 @@ runs:
         java-version-file: ${{ inputs.java-version-file }}
         distribution: ${{ inputs.distribution }}
         cache: 'gradle'
-    - run: ${{ inputs.command }}
+    - run: "${COMMAND}"
       shell: ${{ inputs.shell }}
+      env:
+        COMMAND: ${{ inputs.command }}

.github/workflows/pre-post-release.yml

@@ -106,10 +106,13 @@ jobs:
       - name: Insert notes into cumulative changelog (post release)
         if: inputs.phase == 'post'
         run: |
-          echo "# ${{ inputs.version }} - $(date +'%d/%m/%Y')" > tmpchangelog
-          echo '${{ inputs.changelog }}' >> tmpchangelog
+          echo "# ${VERSION} - $(date +'%d/%m/%Y')" > tmpchangelog
+          echo "${CHANGELOG}" >> tmpchangelog
           cat CHANGELOG.md >> tmpchangelog
           mv tmpchangelog CHANGELOG.md
+        env:
+          VERSION: ${{ inputs.version }}
+          CHANGELOG: ${{ inputs.changelog }}
 
       - name: Clear next release changelog (post release)
         if: inputs.phase == 'post'
@@ -119,10 +122,14 @@ jobs:
       - name: Push the ${{ inputs.phase }} release branch
         run: |
           git add --all
-          git commit -m "${{ inputs.phase }} release: elastic-otel-java v${{ env.RELEASE_VERSION }}"
+          git commit -m "${PHASE} release: elastic-otel-java v${{ env.RELEASE_VERSION }}"
           git push origin ${{ env.BRANCH_NAME }}
+        env:
+          PHASE: ${{ inputs.phase }}
 
       - name: Create the ${{ inputs.phase }} release PR
-        run: gh pr create --title="${{ inputs.pr_title }}" --base main --head ${{ env.BRANCH_NAME }} -b "${{ inputs.pr_body }}"
+        run: gh pr create --title="${PR_TITLE}" --base main --head ${{ env.BRANCH_NAME }} -b "${PR_BODY}"
         env:
           GH_TOKEN: ${{ steps.get_token.outputs.token }}
+          PR_TITLE: ${{ inputs.pr_title }}
+          PR_BODY: ${{ inputs.pr_body }}

.github/workflows/validate-tag/action.yml

@@ -15,11 +15,13 @@ runs:
       id: validate-tag
       shell: 'bash'
       run: |
-        if ! [ $(echo "${{ inputs.tag }}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
+        if ! [ $(echo "${TAG}" | grep -P "(\d{1,2})\.(\d{1,2})\.(\d{1,2})") ]; then
           echo "Tag should be a SemVer format"
           exit 1
         fi
-        if [ $(git tag -l "${{ inputs.tag }}") ]; then
-          echo "The tag ${{ inputs.tag }} already exists"
+        if [ $(git tag -l "${TAG}") ]; then
+          echo "The tag ${TAG} already exists"
           exit 1
         fi
+      env:
+        TAG: ${{ inputs.tag }}