fix(framework/tools): eval injection, broken JSON, tmpfile leak (#549)

packages/mosaic/framework/tools/git/pr-metadata.sh

@@ -57,12 +57,20 @@ curl_gitea_pull() {
     local token basic_auth raw_code body_file http_code
     body_file=$(mktemp)
 
+    # shellcheck disable=SC2329 # Invoked by the RETURN trap below.
+    cleanup_gitea_pull_body() {
+        local status=$?
+        rm -f -- "$body_file"
+        trap - RETURN
+        return "$status"
+    }
+    trap cleanup_gitea_pull_body RETURN
+
     token=$(get_gitea_token "$HOST" || true)
     if [[ -n "$token" ]]; then
         raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -H "User-Agent: curl/8" -H "Authorization: token $token" "$api_url" || true)
         if [[ "$raw_code" =~ ^2 ]]; then
-            cat "$body_file"
-            rm -f "$body_file"
+            cat "$body_file" || return $?
             return 0
         fi
         http_code="$raw_code"
@@ -72,8 +80,7 @@ curl_gitea_pull() {
     if [[ -n "$basic_auth" ]]; then
         raw_code=$(curl -sS -w '%{http_code}' -o "$body_file" -u "$basic_auth" -H "User-Agent: curl/8" "$api_url" || true)
         if [[ "$raw_code" =~ ^2 ]]; then
-            cat "$body_file"
-            rm -f "$body_file"
+            cat "$body_file" || return $?
             return 0
         fi
         http_code="$raw_code"
@@ -96,7 +103,6 @@ except Exception:
     message = open(path, encoding="utf-8", errors="replace").read()[:200] or "empty response"
 print(f"Error: Gitea pull request API request failed with HTTP {code}: {message}")
 PY
-    rm -f "$body_file"
     return 1
 }