fix: github workflow vulnerable to script injection (#2600)

* fix: github workflow vulnerable to script injection Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> * inline forked repo check * Update hermetic_library_generation.yaml * remove unnecessary variable evaluation token * fix wording --------- Signed-off-by: Diogo Teles Sant'Anna <diogoteles@google.com> Co-authored-by: Diego Marquez <diegomarquezp@google.com>

Author: diogoteles08

.github/workflows/hermetic_library_generation.yaml

@@ -17,10 +17,14 @@ name: Hermetic library generation upon generation config change through pull req
 on:
  pull_request:
 
+env:
+ HEAD_REF: ${{ github.head_ref }}
+ REPO_FULL_NAME: ${{ github.event.pull_request.head.repo.full_name }}
+
 jobs:
  library_generation:
- # skip pull requests come from a forked repository
- if: github.event.pull_request.head.repo.full_name == github.repository
+ # skip pull requests coming from a forked repository 
+ if: github.env.REPO_FULL_NAME == github.repository
  runs-on: ubuntu-latest
  steps:
  - uses: actions/checkout@v4
@@ -35,6 +39,6 @@ jobs:
  [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
  bash .github/scripts/hermetic_library_generation.sh \
  --target_branch ${{ github.base_ref }} \
- --current_branch ${{ github.head_ref }}
+ --current_branch $HEAD_REF
  env:
  GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }}