ci: use env vars to avoid template expansion in code contexts

Template expansions are not aware of shell script syntax, and therefore
can potentially result in code injection vulnerabilities when used in
code contexts: https://docs.zizmor.sh/audits/#template-injection

To avoid this, instead use environment variables to safely store the
values of the template expansions.

Also (in the process of doing the above) added double-quotes around a
some instances of variable expansions in shell scripts, which is
necessary to avoid unintended shell splitting and globbing. (I didn't
see any instances where this was actually likely to result in erroneous
behavior, but it's good practice and makes shell scripts more robust.)

Signed-off-by: Daniel Hast <hast.daniel@protonmail.com>