Use random delimiter when writing to env files

Recommended by GitHub for security.
See https://docs.github.com/en/actions/using-workflows/workflow-commands-for-github-actions#multiline-strings

Also: It is not unthinkable that an output contains the word `EOF` which would cause problems.

Signed-off-by: Philipp Stehle <philipp.stehle@sap.com>

internal/toolkit/toolkit.go

@@ -17,6 +17,8 @@
 package toolkit
 
 import (
+	"crypto/rand"
+	"encoding/hex"
 	"errors"
 	"fmt"
 	"io"
@@ -92,6 +94,7 @@ type DefaultToolkit struct {
 
 	Environment map[string]string
 	Writer      io.Writer
+	Delemiter   string
 }
 
 func (d *DefaultToolkit) AddPath(paths ...string) error {
@@ -134,7 +137,7 @@ func (d *DefaultToolkit) export(env string, name string, value string) error {
 	defer f.Close()
 
 	if strings.ContainsRune(value, '\n') {
-		if _, err := fmt.Fprintln(f, fmt.Sprintf("%s<<EOF\n%s\nEOF", name, value)); err != nil {
+		if _, err := fmt.Fprintln(f, fmt.Sprintf("%s<<%s\n%s\n%s", name, d.Delemiter, value, d.Delemiter)); err != nil {
 			return FailedError("unable to write variable")
 		}
 	} else {
@@ -256,6 +259,15 @@ func (d *DefaultToolkit) init() {
 	if d.Writer == nil {
 		d.Writer = os.Stdout
 	}
+
+	if d.Delemiter == "" {
+		data := make([]byte, 16) // roughly the same entropy as uuid v4 used in https://github.com/actions/toolkit/blob/b36e70495fbee083eb20f600eafa9091d832577d/packages/core/src/file-command.ts#L28
+		_, err := rand.Read(data)
+		if err != nil {
+			panic(fmt.Errorf("could not generate random delimiter: %w", err))
+		}
+		d.Delemiter = hex.EncodeToString(data)
+	}
 }
 
 func errorString(a ...interface{}) string {

internal/toolkit/toolkit_test.go

@@ -81,7 +81,7 @@ func TestToolkit(t *testing.T) {
 
 			var (
 				b  = &bytes.Buffer{}
-				tk = toolkit.DefaultToolkit{Writer: b}
+				tk = toolkit.DefaultToolkit{Writer: b, Delemiter: "EOF"}
 			)
 
 			it("adds path", func() {