template-injection: eliminate false positives with the env.* context

[woodruffw]

Right now, there are a bunch of false positives when a run: context contains ${{ env.whatever }}. In particular, the following is entirely safe, but we treat it as a potential injection:

run: "echo ${{ env.foo }}"
env:
  foo: foo

We should do something similar to the static matrix check (but simplified, since there are thankfully no dimensions) for env. Specifically, we should not emit findings when the context is env and the referenced value is fully static (i.e. does not itself contain an expression).

[woodruffw]

See curl/curl#15746 for some more context.

[woodruffw]

Thinking out loud: this isn't 100% trivial since each step/job/workflow env is a LoE<Env>, i.e. can be either a literal env mapping (with interior expressions) or a full-blown expression. So I think I'll start with just a Step::env_key_is_static API.