Avoid evaluation of command substitution in input

In the body of the bash script, `${{ inputs }}` parameters are often quoted with double quotes, which allow command substitution.  This replaces double quotes with single quotes to prevent that and avoid command substitution.

.github/workflows/CI.yml

@@ -59,7 +59,7 @@ jobs:
     env:
       JULIA_DEPOT_PATH: /tmp/julia-depot
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Set cache-name
       id: cache-name
       shell: bash
@@ -117,7 +117,7 @@ jobs:
     env:
       JULIA_DEPOT_PATH: /tmp/julia-depot
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - uses: julia-actions/setup-julia@v2
       with:
         version: ${{ matrix.version }}
@@ -161,7 +161,7 @@ jobs:
     outputs:
       cache-name: ${{ steps.cache-name.outputs.cache-name }}
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Set cache-name
       id: cache-name
       run: |
@@ -193,7 +193,7 @@ jobs:
     needs: test-save-nomatrix
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Restore cache
       id: cache
       uses: ./
@@ -233,7 +233,7 @@ jobs:
     outputs:
       cache-name: ${{ steps.cache-name.outputs.cache-name }}
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Set cache-name
       id: cache-name
       run: |
@@ -259,7 +259,7 @@ jobs:
     needs: test-save-cloned-registry
     runs-on: ubuntu-latest
     steps:
-    - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+    - uses: actions/checkout@692973e3d937129bcbf40652eb9f2f61becf3332
     - name: Add General registry clone
       shell: julia --color=yes {0}
       run: |

README.md

@@ -64,9 +64,6 @@ By default, this action removes caches that were previously made by jobs on the
 GitHub automatically removes old caches after a certain period or when the repository cache allocation is full.
 It is, however, more efficient to explicitly remove old caches to improve caching for less frequently run jobs.
 
-For more information about Github caching generically, for example how to manually delete caches, see
-[this Github documentation page](https://docs.github.com/en/actions/writing-workflows/choosing-what-your-workflow-does/caching-dependencies-to-speed-up-workflows#managing-caches).
-
 ### Cache keys
 
 The cache key that the cache will be saved as is based on:

action.yml

@@ -47,25 +47,19 @@ outputs:
   cache-hit:
     description: A boolean value to indicate an exact match was found for the primary key. Returns "" when the key is new. Forwarded from actions/cache.
     value: ${{ steps.hit.outputs.cache-hit }}
-  cache-paths:
-    description: The paths that were cached
-    value: ${{ steps.paths.outputs.cache-paths }}
-  cache-key:
-    description: The full cache key used
-    value: ${{ steps.keys.outputs.key }}
 
 runs:
   using: 'composite'
   steps:
     - name: Install jq
-      uses: dcarbone/install-jq-action@f0e10f46ff84f4d32178b4b76e1ef180b16f82c3 # v3.1.1
+      uses: dcarbone/install-jq-action@8867ddb4788346d7c22b72ea2e2ffe4d514c7bcb
       with:
         force: false  # Skip install when an existing `jq` is present
 
     - id: paths
       run: |
-        if [ -n "${{ inputs.depot }}" ]; then
+        if [ -n '${{ inputs.depot }}' ]; then
-            depot="${{ inputs.depot }}"
+            depot='${{ inputs.depot }}'
         elif [ -n "$JULIA_DEPOT_PATH" ]; then
             # Use the first depot path
             depot=$(echo $JULIA_DEPOT_PATH | cut -d$PATH_DELIMITER -f1)
@@ -74,7 +68,6 @@ runs:
         fi
         if [[ "$OSTYPE" == "msys" || "$OSTYPE" == "cygwin" ]]; then
           depot="${depot/#\~/$USERPROFILE}"  # Windows paths
-          depot="${depot//\\//}"             # Replace backslashes with forward slashes
         else
           depot="${depot/#\~/$HOME}"  # Unix-like paths
         fi
@@ -82,11 +75,11 @@ runs:
 
         cache_paths=()
         artifacts_path="${depot}/artifacts"
-        [ "${{ inputs.cache-artifacts }}" = "true" ] && cache_paths+=("$artifacts_path")
+        [ '${{ inputs.cache-artifacts }}' = "true" ] && cache_paths+=("$artifacts_path")
         packages_path="${depot}/packages"
-        [ "${{ inputs.cache-packages }}" = "true" ] && cache_paths+=("$packages_path")
+        [ '${{ inputs.cache-packages }}' = "true" ] && cache_paths+=("$packages_path")
         registries_path="${depot}/registries"
-        if [ "${{ inputs.cache-registries }}" = "true" ]; then
+        if [ '${{ inputs.cache-registries }}' = "true" ]; then
             if [ ! -d "${registries_path}" ]; then
                 cache_paths+=("$registries_path")
             else
@@ -94,11 +87,11 @@ runs:
             fi
         fi
         compiled_path="${depot}/compiled"
-        [ "${{ inputs.cache-compiled }}" = "true" ] && cache_paths+=("$compiled_path")
+        [ '${{ inputs.cache-compiled }}' = "true" ] && cache_paths+=("$compiled_path")
         scratchspaces_path="${depot}/scratchspaces"
-        [ "${{ inputs.cache-scratchspaces }}" = "true" ] && cache_paths+=("$scratchspaces_path")
+        [ '${{ inputs.cache-scratchspaces }}' = "true" ] && cache_paths+=("$scratchspaces_path")
         logs_path="${depot}/logs"
-        [ "${{ inputs.cache-logs }}" = "true" ] && cache_paths+=("$logs_path")
+        [ '${{ inputs.cache-logs }}' = "true" ] && cache_paths+=("$logs_path")
         {
             echo "cache-paths<<EOF"
             printf "%s\n" "${cache_paths[@]}"
@@ -113,10 +106,10 @@ runs:
       run: |
         # `matrix_key` joins all of matrix keys/values (including nested objects) to ensure that concurrent runs each use a unique cache key.
         # When `matrix` isn't set for the job then `MATRIX_JSON=null`.
-        if [ "${{ inputs.include-matrix }}" == "true" ] && [ "$MATRIX_JSON" != "null" ]; then
+        if [ '${{ inputs.include-matrix }}' == "true" ] && [ "$MATRIX_JSON" != "null" ]; then
           matrix_key=$(echo "$MATRIX_JSON" | jq 'paths(type != "object") as $p | ($p | join("-")) + "=" + (getpath($p) | tostring)' | jq -rs 'join(";") | . + ";"')
         fi
-        restore_key="${{ inputs.cache-name }};os=${{ runner.os }};${matrix_key}"
+        restore_key='${{ inputs.cache-name }};os=${{ runner.os }};${matrix_key}'
         # URL encode any restricted characters:
         # https://github.com/actions/toolkit/blob/5430c5d84832076372990c7c27f900878ff66dc9/packages/cache/src/cache.ts#L38-L43
         restore_key=$(sed 's/,/%2C/g' <<<"${restore_key}")
@@ -127,7 +120,7 @@ runs:
       env:
         MATRIX_JSON: ${{ toJSON(matrix) }}
 
-    - uses: actions/cache@5a3ec84eff668545956fd18022155c47e93e2684 # v4.2.3
+    - uses: actions/cache@0c45773b623bea8c8e75f6c82b208c3cf94ea4f9 # v4.0.2
       id: cache
       with:
         path: |
@@ -178,7 +171,7 @@ runs:
     # - https://docs.github.com/en/actions/using-workflows/caching-dependencies-to-speed-up-workflows#usage-limits-and-eviction-policy
 
     # Not windows
-    - uses: pyTooling/Actions/with-post-step@42e17fae05f224e5ac3d79d021a4e3577878efe5 # v4.2.2
+    - uses: pyTooling/Actions/with-post-step@e9d0dc3dba9fda45f195946858708f60c0240caf # v1.0.5
       if: ${{ inputs.delete-old-caches != 'false' &&
               github.ref != format('refs/heads/{0}', github.event.repository.default_branch) &&
               runner.OS != 'Windows' }}
@@ -186,18 +179,18 @@ runs:
         # seems like there has to be a `main` step in this action. Could list caches for info if we wanted
         # main:  julia ${{ github.action_path }}/handle_caches.jl "${{ github.repository }}" "list"
         main: echo ""
-        post: julia $GITHUB_ACTION_PATH/handle_caches.jl rm "${{ github.repository }}" "${{ steps.keys.outputs.restore-key }}" "${{ github.ref }}" "${{ inputs.delete-old-caches != 'required' }}"
+        post: julia $GITHUB_ACTION_PATH/handle_caches.jl rm '${{ github.repository }}' '${{ steps.keys.outputs.restore-key }}' '${{ github.ref }}' "${{ inputs.delete-old-caches != 'required' }}"
       env:
         GH_TOKEN: ${{ inputs.token }}
 
     # Windows (because this action uses command prompt on windows)
-    - uses: pyTooling/Actions/with-post-step@42e17fae05f224e5ac3d79d021a4e3577878efe5 # v4.2.2
+    - uses: pyTooling/Actions/with-post-step@e9d0dc3dba9fda45f195946858708f60c0240caf # v1.0.5
       if: ${{ inputs.delete-old-caches != 'false' &&
               github.ref != format('refs/heads/{0}', github.event.repository.default_branch) &&
               runner.OS == 'Windows' }}
       with:
         main: echo ""
-        post: cd %GITHUB_ACTION_PATH% && julia handle_caches.jl rm "${{ github.repository }}" "${{ steps.keys.outputs.restore-key }}" "${{ github.ref }}" "${{ inputs.delete-old-caches != 'required' }}"
+        post: cd %GITHUB_ACTION_PATH% && julia handle_caches.jl rm '${{ github.repository }}' '${{ steps.keys.outputs.restore-key }}' '${{ github.ref }}' "${{ inputs.delete-old-caches != 'required' }}"
       env:
         GH_TOKEN: ${{ inputs.token }}