CI: fix zizmor 1.9.0 warnings, shellcheck verify CI shell code, fix fallouts

zizmor 1.9.0 effectively bans using GHA macros within shell script
snippets. Rework them to pass GHA macro values via envs and use those
envs in shell snippets. `${{ env.* }}` macros could be converted
to native env references after making their names shell-compatible.

Envs and shell commands can no longer be used in GHA macro values. Most
cases could be fixed by using literals. Passing quoted values with
spaces combined with other args also doesn't work anymore. This was
replaced by passing them separately.

Despite the initial complications, avoiding GHA macros in scripts does
seems to make the CI code reasonable cleaner. It also makes it possible
to analyze the scripts with shellcheck, finding subtle issues that went
unnoticed till now.

Also:
- un-ignore and fix three existing zizmor `template-injection` issues.
- add script to extract and shellcheck all shell code stored within GHA
  and Circle CI YAML files.
- add CI job to run this script.
- fix shellcheck issues discovered.
- fix minor differences between cmake and autotools FreeBSD jobs.
- merge cmake/autotools FreeBSD jobs to avoid developing unwanted
  differences again.
- fix/sync quote use across shell code.
- replace `$HOME` with `~` or literal where it made sense.
- replace most `brew --prefix` with literals.
- move all curl install tests to the `curl-install*` prefix.
- add missing curl install tests to cygwin/msys/mingw/*bsd.
- pipe to `tar` instead of storing downloads on disk.
- drop unnecessary `PKG_CONFIG_PATH` when building nghttp3.

Ref: https://github.com/curl/curl/actions/runs/15461461371/job/43523546041
Ref: https://github.com/zizmorcore/zizmor/releases/tag/v1.9.0

Follow-up to e522f47986 #17278

Closes #17537

.circleci/config.yml

@@ -52,11 +52,11 @@ commands:
       - run:
           command: |
             # renovate: datasource=github-tags depName=wolfSSL/wolfssl versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
-            WOLFSSL_VER=5.8.0
-            echo "Installing wolfSSL $WOLFSSL_VER"
-            curl -LOsSf --retry 6 --retry-connrefused --max-time 999 https://github.com/wolfSSL/wolfssl/archive/v$WOLFSSL_VER-stable.tar.gz
-            tar -xzf v$WOLFSSL_VER-stable.tar.gz
-            cd wolfssl-$WOLFSSL_VER-stable
+            WOLFSSL_VERSION=5.8.0
+            echo "Installing wolfSSL $WOLFSSL_VERSION"
+            curl -LOsSf --retry 6 --retry-connrefused --max-time 999 https://github.com/wolfSSL/wolfssl/archive/v$WOLFSSL_VERSION-stable.tar.gz
+            tar -xzf v$WOLFSSL_VERSION-stable.tar.gz
+            cd wolfssl-$WOLFSSL_VERSION-stable
             ./autogen.sh
             ./configure --disable-dependency-tracking --enable-tls13 --enable-all --enable-harden --prefix=$HOME/wssl
             make install
@@ -66,11 +66,11 @@ commands:
       - run:
           command: |
             # renovate: datasource=github-tags depName=wolfSSL/wolfssh versioning=semver extractVersion=^v?(?<version>.+)-stable$ registryUrl=https://github.com
-            WOLFSSH_VER=1.4.19
-            echo "Installing wolfSSH $WOLFSSH_VER"
-            curl -LOsSf --retry 6 --retry-connrefused --max-time 999 https://github.com/wolfSSL/wolfssh/archive/v$WOLFSSH_VER-stable.tar.gz
-            tar -xzf v$WOLFSSH_VER-stable.tar.gz
-            cd wolfssh-$WOLFSSH_VER-stable
+            WOLFSSH_VERSION=1.4.19
+            echo "Installing wolfSSH $WOLFSSH_VERSION"
+            curl -LOsSf --retry 6 --retry-connrefused --max-time 999 https://github.com/wolfSSL/wolfssh/archive/v$WOLFSSH_VERSION-stable.tar.gz
+            tar -xzf v$WOLFSSH_VERSION-stable.tar.gz
+            cd wolfssh-$WOLFSSH_VERSION-stable
             ./autogen.sh
             ./configure --disable-dependency-tracking --with-wolfssl=$HOME/wssl --prefix=$HOME/wssh --enable-scp --enable-sftp --disable-term --disable-examples
             make install