Pass archname through env to avoid template injectionHEADmaster

zizmor flags `cd "${{ inputs.archname }}/"` inside `run:` blocks as
code injection via template expansion: GitHub Actions substitutes the
input value into the shell script verbatim, so a caller passing shell
metacharacters could execute arbitrary code.

Hoist `ARCHNAME: ${{ inputs.archname }}` to the job-level `env:` block
and reference it as `$ARCHNAME` in shell, matching the pattern already
used by tarball-windows.yml (see 942f45b2af).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

0 files changed, 0 insertions, 0 deletions