Avoid evaluation of command substitution in input

In the body of the bash script, `${{ inputs }}` parameters are often quoted with double quotes, which allow command substitution.  This replaces double quotes with single quotes to prevent that and avoid command substitution.

.github/workflows/CI.yml

@@ -59,7 +59,7 @@ jobs:
     env:
       JULIA_DEPOT_PATH: /tmp/julia-depot
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Set cache-name
       id: cache-name
       shell: bash
@@ -117,7 +117,7 @@ jobs:
     env:
       JULIA_DEPOT_PATH: /tmp/julia-depot
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - uses: julia-actions/setup-julia@v2
       with:
         version: ${{ matrix.version }}
@@ -161,7 +161,7 @@ jobs:
     outputs:
       cache-name: ${{ steps.cache-name.outputs.cache-name }}
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Set cache-name
       id: cache-name
       run: |
@@ -193,7 +193,7 @@ jobs:
     needs: test-save-nomatrix
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Restore cache
       id: cache
       uses: ./
@@ -233,7 +233,7 @@ jobs:
     outputs:
       cache-name: ${{ steps.cache-name.outputs.cache-name }}
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Set cache-name
       id: cache-name
       run: |
@@ -259,7 +259,7 @@ jobs:
     needs: test-save-cloned-registry
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Add General registry clone
       shell: julia --color=yes {0}
       run: |

README.md

@@ -20,7 +20,7 @@ jobs:
   test:
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@v6
+    - uses: actions/checkout@v4
     - uses: julia-actions/setup-julia@v2
     - uses: julia-actions/cache@v2
     - uses: julia-actions/julia-buildpkg@v1
@@ -51,8 +51,6 @@ By default all depot directories called out below are cached.
 ### Outputs
 
 - `cache-hit` - A boolean value to indicate an exact match was found for the primary key. Returns \"\" when the key is new. Forwarded from actions/cache.
-- `cache-paths` - A list of paths (as a newline-separated string) that were cached.
-- `cache-key` - The cache key that was used for this run.
 
 ## How It Works
 
@@ -66,9 +64,6 @@ By default, this action removes caches that were previously made by jobs on the
 GitHub automatically removes old caches after a certain period or when the repository cache allocation is full.
 It is, however, more efficient to explicitly remove old caches to improve caching for less frequently run jobs.
 
-For more information about GitHub caching generically, for example how to manually delete caches, see
-[this GitHub documentation page](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#managing-caches).
-
 ### Cache keys
 
 The cache key that the cache will be saved as is based on:
@@ -79,7 +74,7 @@ The cache key that the cache will be saved as is based on:
 - The run attempt number
 
 > [!NOTE]
-> If there is job concurrency that is not fully defined by a matrix you should ensure that `cache-name` is
+> If there is job concurrency that is not fully defined by a matrix you should ensure that `cache-name` is 
 > unique for each concurrent job, otherwise caching may not be effective.
 
 ### Cache Retention
@@ -106,35 +101,6 @@ Which means your caches files will not grow needlessly. GitHub also deletes cach
 
 To disable deletion set input `delete-old-caches: 'false'`.
 
-### Caching even if an intermediate job fails
-
-Just like [the basic actions/cache workflow](https://github.com/actions/cache), this action has a cache restore step, and also a save step which runs after the workflow completes.
-By default, if any job in the workflow fails, the entire workflow will be stopped, and the cache will not be saved.
-
-Due to current limitations in GitHub Actions syntax, there is no built-in option for this action to save the cache even if the job fails.
-However, it does output information which you can feed into `actions/cache` yourself to achieve the same effect.
-For example, this workflow will ensure that the cache is saved if a step fails (but skipping it if the cache was hit, i.e. there's no need to cache it again).
-
-```yaml
-    steps:
-      - uses: actions/checkout@v4
-
-      - name: Load Julia packages from cache
-        id: julia-cache
-        uses: julia-actions/cache@v2
-
-      # do whatever you want here (that might fail)
-
-      - name: Save Julia depot cache on cancel or failure
-        id: julia-cache-save
-        if: cancelled() || failure()
-        uses: actions/cache/save@v4
-        with:
-          path: |
-            ${{ steps.julia-cache.outputs.cache-paths }}
-          key: ${{ steps.julia-cache.outputs.cache-key }}
-```
-
 ### Cache Garbage Collection
 
 Caches are restored and re-saved after every run, retaining the state of the depot throughout runs.

action.yml

@@ -47,25 +47,19 @@ outputs:
   cache-hit:
     description: A boolean value to indicate an exact match was found for the primary key. Returns "" when the key is new. Forwarded from actions/cache.
     value: ${{ steps.hit.outputs.cache-hit }}
-  cache-paths:
-    description: The paths that were cached
-    value: ${{ steps.paths.outputs.cache-paths }}
-  cache-key:
-    description: The full cache key used
-    value: ${{ steps.keys.outputs.key }}
 
 runs:
   using: 'composite'
   steps:
     - name: Install jq
-      uses: dcarbone/install-jq-action@b7ef57d46ece78760b4019dbc4080a1ba2a40b45 # v3.2.0
+      uses: dcarbone/install-jq-action@8867ddb4788346d7c22b72ea2e2ffe4d514c7bcb
       with:
         force: false  # Skip install when an existing `jq` is present
 
     - id: paths
       run: |
-        if [ -n "${{ inputs.depot }}" ]; then
-            depot="${{ inputs.depot }}"
+        if [ -n '${{ inputs.depot }}' ]; then
+            depot='${{ inputs.depot }}'
         elif [ -n "$JULIA_DEPOT_PATH" ]; then
             # Use the first depot path
             depot=$(echo $JULIA_DEPOT_PATH | cut -d$PATH_DELIMITER -f1)
@@ -74,7 +68,6 @@ runs:
         fi
         if [[ "$OSTYPE" == "msys" || "$OSTYPE" == "cygwin" ]]; then
           depot="${depot/#\~/$USERPROFILE}"  # Windows paths
-          depot="${depot//\\//}"             # Replace backslashes with forward slashes
         else
           depot="${depot/#\~/$HOME}"  # Unix-like paths
         fi
@@ -82,11 +75,11 @@ runs:
 
         cache_paths=()
         artifacts_path="${depot}/artifacts"
-        [ "${{ inputs.cache-artifacts }}" = "true" ] && cache_paths+=("$artifacts_path")
+        [ '${{ inputs.cache-artifacts }}' = "true" ] && cache_paths+=("$artifacts_path")
         packages_path="${depot}/packages"
-        [ "${{ inputs.cache-packages }}" = "true" ] && cache_paths+=("$packages_path")
+        [ '${{ inputs.cache-packages }}' = "true" ] && cache_paths+=("$packages_path")
         registries_path="${depot}/registries"
-        if [ "${{ inputs.cache-registries }}" = "true" ]; then
+        if [ '${{ inputs.cache-registries }}' = "true" ]; then
             if [ ! -d "${registries_path}" ]; then
                 cache_paths+=("$registries_path")
             else
@@ -94,11 +87,11 @@ runs:
             fi
         fi
         compiled_path="${depot}/compiled"
-        [ "${{ inputs.cache-compiled }}" = "true" ] && cache_paths+=("$compiled_path")
+        [ '${{ inputs.cache-compiled }}' = "true" ] && cache_paths+=("$compiled_path")
         scratchspaces_path="${depot}/scratchspaces"
-        [ "${{ inputs.cache-scratchspaces }}" = "true" ] && cache_paths+=("$scratchspaces_path")
+        [ '${{ inputs.cache-scratchspaces }}' = "true" ] && cache_paths+=("$scratchspaces_path")
         logs_path="${depot}/logs"
-        [ "${{ inputs.cache-logs }}" = "true" ] && cache_paths+=("$logs_path")
+        [ '${{ inputs.cache-logs }}' = "true" ] && cache_paths+=("$logs_path")
         {
             echo "cache-paths<<EOF"
             printf "%s\n" "${cache_paths[@]}"
@@ -113,10 +106,10 @@ runs:
       run: |
         # `matrix_key` joins all of matrix keys/values (including nested objects) to ensure that concurrent runs each use a unique cache key.
         # When `matrix` isn't set for the job then `MATRIX_JSON=null`.
-        if [ "${{ inputs.include-matrix }}" == "true" ] && [ "$MATRIX_JSON" != "null" ]; then
+        if [ '${{ inputs.include-matrix }}' == "true" ] && [ "$MATRIX_JSON" != "null" ]; then
           matrix_key=$(echo "$MATRIX_JSON" | jq 'paths(type != "object") as $p | ($p | join("-")) + "=" + (getpath($p) | tostring)' | jq -rs 'join(";") | . + ";"')
         fi
-        restore_key="${{ inputs.cache-name }};os=${{ runner.os }};${matrix_key}"
+        restore_key='${{ inputs.cache-name }};os=${{ runner.os }};${matrix_key}'
         # URL encode any restricted characters:
         # https://github.com/actions/toolkit/blob/5430c5d84832076372990c7c27f900878ff66dc9/packages/cache/src/cache.ts#L38-L43
         restore_key=$(sed 's/,/%2C/g' <<<"${restore_key}")
@@ -127,7 +120,7 @@ runs:
       env:
         MATRIX_JSON: ${{ toJSON(matrix) }}
 
-    - uses: actions/cache@cdf6c1fa76f9f475f3d7449005a359c84ca0f306 # v5.0.3
+    - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       id: cache
       with:
         path: |
@@ -178,7 +171,7 @@ runs:
     # - https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy
 
     # Not windows
-    - uses: pyTooling/Actions/with-post-step@370c306306304663febee1525552a09e061588fa # v7.4.2
+    - uses: pyTooling/Actions/with-post-step@e9d0dc3dba9fda45f195946858708f60c0240caf # v1.0.5
       if: ${{ inputs.delete-old-caches != 'false' &&
               github.ref != format('refs/heads/{0}', github.event.repository.default_branch) &&
               runner.OS != 'Windows' }}
@@ -186,18 +179,18 @@ runs:
         # seems like there has to be a `main` step in this action. Could list caches for info if we wanted
         # main:  julia ${{ github.action_path }}/handle_caches.jl "${{ github.repository }}" "list"
         main: echo ""
-        post: julia $GITHUB_ACTION_PATH/handle_caches.jl rm "${{ github.repository }}" "${{ steps.keys.outputs.restore-key }}" "${{ github.ref }}" "${{ inputs.delete-old-caches != 'required' }}"
+        post: julia $GITHUB_ACTION_PATH/handle_caches.jl rm '${{ github.repository }}' '${{ steps.keys.outputs.restore-key }}' '${{ github.ref }}' "${{ inputs.delete-old-caches != 'required' }}"
       env:
         GH_TOKEN: ${{ inputs.token }}
 
     # Windows (because this action uses command prompt on windows)
-    - uses: pyTooling/Actions/with-post-step@370c306306304663febee1525552a09e061588fa # v7.4.2
+    - uses: pyTooling/Actions/with-post-step@e9d0dc3dba9fda45f195946858708f60c0240caf # v1.0.5
       if: ${{ inputs.delete-old-caches != 'false' &&
               github.ref != format('refs/heads/{0}', github.event.repository.default_branch) &&
               runner.OS == 'Windows' }}
       with:
         main: echo ""
-        post: cd %GITHUB_ACTION_PATH% && julia handle_caches.jl rm "${{ github.repository }}" "${{ steps.keys.outputs.restore-key }}" "${{ github.ref }}" "${{ inputs.delete-old-caches != 'required' }}"
+        post: cd %GITHUB_ACTION_PATH% && julia handle_caches.jl rm '${{ github.repository }}' '${{ steps.keys.outputs.restore-key }}' '${{ github.ref }}' "${{ inputs.delete-old-caches != 'required' }}"
       env:
         GH_TOKEN: ${{ inputs.token }}