action.yml: use step-level env vars instead of direct vars in commands

It seems unlikely that users would configure this action in a way to
allow injection of malicious content into the commands we run, but
better to be safe here, since GitHub Actions are a footgun with a hair
trigger.

Change-Id: I8d137a1f98f832c8d22506b309f20644fc74e4ec
Reviewed-on: https://go-review.googlesource.com/c/govulncheck-action/+/797300
Reviewed-by: Neal Patel <nealpatel@google.com>
Reviewed-by: Neal Patel <neal@golang.org>
TryBot-Bypass: Roland Shoemaker <roland@golang.org>
Auto-Submit: Roland Shoemaker <roland@golang.org>
Commit-Queue: Roland Shoemaker <roland@golang.org>
diff --git a/action.yml b/action.yml
index 7a33d71..6fe7e2c 100644
--- a/action.yml
+++ b/action.yml
@@ -60,9 +60,18 @@
         GOARCH: ''
     - if: inputs.output-file == ''
       name: Run govulncheck
-      run: govulncheck -C ${{ inputs.work-dir }} -format ${{ inputs.output-format }} ${{ inputs.go-package }}
+      run: govulncheck -C "$WORK_DIR" -format "$OUTPUT_FORMAT" "$GO_PACKAGE"
       shell: bash
+      env:
+        WORK_DIR: ${{ inputs.work-dir }}
+        OUTPUT_FORMAT: ${{ inputs.output-format }}
+        GO_PACKAGE: ${{ inputs.go-package }}
     - if: inputs.output-file != ''
       name: Run govulncheck and save to file
-      run: govulncheck -C ${{ inputs.work-dir }} -format ${{ inputs.output-format }} ${{ inputs.go-package }} > ${{ inputs.output-file }}
+      run: govulncheck -C "$WORK_DIR" -format "$OUTPUT_FORMAT" "$GO_PACKAGE" > "$OUTPUT_FILE"
       shell: bash
+      env:
+        WORK_DIR: ${{ inputs.work-dir }}
+        OUTPUT_FORMAT: ${{ inputs.output-format }}
+        GO_PACKAGE: ${{ inputs.go-package }}
+        OUTPUT_FILE: ${{ inputs.output-file }}