Avoid string interpolation into bash commands

Avoid string interpolation into bash commands

Although the `clone_url` and `sha` are safe, other similar aspects of
the pull request head are not (e.g. `head.ref`, `pull_request.title` etc)
and these must not be interpolated.

So let's use the convention of putting such data into environment
variables, where the contents are not interpolated into the bash
commands and are instead passed directly to the called program.

https://docs.github.com/en/actions/reference/security/secure-use#use-an-intermediate-environment-variable