MAINT: Fix two cases of code injection via template expansion

[agriyakhetarpal]

This PR fixes two cases of template injection that Zizmor caught, from a local run.

cc: @rgommers

[rgommers]

Thanks @agriyakhetarpal. I'm not sure this is a valid concern for this repo, given that we don't run CI on PRs from anyone but release team and org admin members. So the reason to change this would be to make using zizmor easier.

[agriyakhetarpal]

Thanks @rgommers. Indeed, this only changes what I saw through zizmor. Running the tool locally occasionally might be a good idea, as I mentioned to you privately elsewhere, in the extremely unlikely event that this repository gets compromised (this is still an attack vector, though a tad difficult to exploit here). If you and the rest of the release team agree with this PR at some later point, please feel free to merge this from the command line as you like, or merge it manually.

[andyfaff]

It seems like a +0.5 change, so it's worth merging if CI passes (the run was manually approved).