chore: secure hermetic_library_generation workflow (#2317)

* chore: secure hermetic_library_generation workflow

Thanks to @diogoteles08 for the inspection on our repos.
This PR inlines environment variables to avoid overriding script injections.

* fix github object reference

* Update hermetic_library_generation.yaml

* Update hermetic_library_generation.yaml

* fix env reference

* use vars instead of env

* workaround for indirectly referencing env in jobs.if

* rename job

* test job without steps

* cleaner no-op step

* rewording

* 🦉 Updates from OwlBot post-processor

See https://github.com/googleapis/repo-automation-bots/blob/main/packages/owl-bot/README.md

* simplify conditional generation

---------

Co-authored-by: Owl Bot <gcf-owl-bot[bot]@users.noreply.github.com>

Author: diegomarquezp

.github/workflows/hermetic_library_generation.yaml

@@ -19,11 +19,11 @@ on:
 
 env:
   HEAD_REF: ${{ github.head_ref }}
+  REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+  GITHUB_REPOSITORY: ${{ github.repository }}
 
 jobs:
   library_generation:
-    # skip pull requests come from a forked repository
-    if: github.event.pull_request.head.repo.full_name == github.repository
     runs-on: ubuntu-latest
     steps:
     - uses: actions/checkout@v4
@@ -34,6 +34,10 @@ jobs:
       shell: bash
       run: |
         set -ex
+        if [[ "${GITHUB_REPOSITORY}" != "${REPO_FULL_NAME}" ]]; then
+          echo "This PR comes from a fork. Generation will be skipped"
+          exit 0
+        fi
         [ -z "$(git config user.email)" ] && git config --global user.email "[email protected]"
         [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
         bash .github/scripts/hermetic_library_generation.sh \