ci: drop FranzDiebold/github-env-vars-action #9641

This drops the `FranzDiebold/github-env-vars-action` in favor of native
GH-Actions replacement patterns available.

ghcr.io (and other container registries for that matter) do not allow
mix-case image names, so when a the repo is forked by a user with a
mixed case username, or when reused in a repo with a mixed case repo
name, the Docker image tagging step fails.

To fix this, there is now a custom bash step that saves the lowercase
username and repo-name to the step-output, and reuse them in tagging
steps. This is essentially what `FranzDiebold/github-env-vars-action`
action did, but doing so manually allows more control and visibility,
as well as dropping an action that reduces surface area if the third
party action is comproised.

Related: [#9639](http://team.linkorb.com/cards/9639).

Author: Ayesh

.github/workflows/production.yml

@@ -20,8 +20,17 @@ jobs:
           - php8
 
     steps:
-    - name: GitHub Environment Variables Action
-      uses: FranzDiebold/github-env-vars-action@v2
+    - name: Convert repository name and owner to lowercase
+      id: repo_info
+      shell: bash
+      run: |
+        REPO_FULL_NAME="${{ github.repository }}"
+        OWNER_LOWER=$(echo "$REPO_FULL_NAME" | cut -d'/' -f1 | tr '[:upper:]' '[:lower:]')
+        REPO_LOWER=$(echo "$REPO_FULL_NAME" | cut -d'/' -f2 | tr '[:upper:]' '[:lower:]')
+
+        echo "CI_REPOSITORY_OWNER_SLUG=$OWNER_LOWER" >> "$GITHUB_OUTPUT"
+        echo "CI_REPOSITORY_NAME_SLUG=$REPO_LOWER" >> "$GITHUB_OUTPUT"
+        echo "CI_REPOSITORY_FULL_NAME_SLUG=${OWNER_LOWER}/${REPO_LOWER}" >> "$GITHUB_OUTPUT"
 
     - name: Shallow clone code
       uses: actions/checkout@v4
@@ -32,7 +41,7 @@ jobs:
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
-        username: ${{ env.CI_REPOSITORY_OWNER_SLUG }}
+        username: ${{ github.repository_owner }} #ghcr logins allow mixed case usernames
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Build the container image
@@ -49,35 +58,33 @@ jobs:
         severity: 'CRITICAL,HIGH'
 
     - name: Retag new image with latest tag so we can push the scanned version
-      run: docker image tag php-docker-base:trivytemp ghcr.io/${{ env.CI_REPOSITORY_OWNER_SLUG }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }}
+      run: docker image tag php-docker-base:trivytemp ghcr.io/${{ steps.repo_info.outputs.CI_REPOSITORY_FULL_NAME_SLUG }}:${{ matrix.php }}
 
     - name: Push with commit ${{ matrix.php }} tag
-      run: docker push ghcr.io/${{ env.CI_REPOSITORY_OWNER_SLUG }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }}
+      run: docker push ghcr.io/${{ steps.repo_info.outputs.CI_REPOSITORY_FULL_NAME_SLUG }}:${{ matrix.php }}
 
     #review containers
     - name: Build the review container image
-      run: docker build . --tag ghcr.io/${{ github.repository_owner }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }}-review --file Dockerfile.${{ matrix.php }}-review
-    - name: Push with commit *-review tag
-      run: docker push ghcr.io/${{ env.CI_REPOSITORY_OWNER_SLUG }}/${{ env.CI_REPOSITORY_NAME }}:${{ matrix.php }}-review
+      run: docker build . --tag ghcr.io/${{ steps.repo_info.outputs.CI_REPOSITORY_FULL_NAME_SLUG }}:${{ matrix.php }}-review --file Dockerfile.${{ matrix.php }}-review
 
+    - name: Push with commit *-review tag
+      run: docker push ghcr.io/${{ steps.repo_info.outputs.CI_REPOSITORY_FULL_NAME_SLUG }}:${{ matrix.php }}-review
 
   cleanup:
     needs: [build]
     runs-on: ubuntu-latest
     steps:
-    - name: GitHub Environment Variables Action
-      uses: FranzDiebold/github-env-vars-action@v2
 
     - name: Login to Container Registry ghcr.io
       uses: docker/login-action@v3
       with:
         registry: ghcr.io
-        username: ${{ env.CI_REPOSITORY_OWNER_SLUG }}
+        username: ${{ github.repository_owner }} #ghcr logins allow mixed case usernames
         password: ${{ secrets.GITHUB_TOKEN }}
 
     - name: Delete old versions of the package, keeping a few of the newest
       uses: actions/delete-package-versions@v5
       with:
-        package-name: ${{ env.CI_REPOSITORY_NAME }}
+        package-name: ${{ github.event.repository.name }}
         package-type: container
         min-versions-to-keep: 8