fix: github workflow vulnerable to script injection

Signed-off-by: Diogo Teles Sant'Anna <[email protected]>

.github/workflows/hermetic_library_generation.yaml

@@ -19,6 +19,9 @@ on:
     paths:
       - 'generation_config.yaml'
 
+env:
+  HEAD_REF: ${{ github.head_ref }}
+
 jobs:
   library_generation:
     # skip pull requests coming from a forked repository
@@ -37,6 +40,6 @@ jobs:
         [ -z "$(git config user.name)" ] && git config --global user.name "cloud-java-bot"
         bash .github/scripts/hermetic_library_generation.sh \
           --target_branch ${{ github.base_ref }} \
-          --current_branch ${{ github.head_ref }}
+          --current_branch $HEAD_REF
       env:
         GH_TOKEN: ${{ secrets.CLOUD_JAVA_BOT_TOKEN }}