Pin jq dependency and fix accidental double -r arg for sub parsing

Signed-off-by: Mario Minardi <mminardi@shaw.ca>

actions/example-id-tokens/.forgejo/workflows/test.yml

@@ -2,13 +2,14 @@ on: [push]
 
 env:
     JWT_CLI_VERSION: 6.2.0 # renovate: datasource=github-releases depName=jwt-cli packageName=mike-engel/jwt-cli
+    JQ_VERSION: 1.8.1 # renovate: datasource=github-releases depName=jq packageName=jqlang/jq
 
 jobs:
     generation-allowed:
         enable-openid-connect: true
         runs-on: docker
         steps:
-            - run: curl -L -o jq https://github.com/jqlang/jq/releases/latest/download/jq-linux-amd64 && chmod a+x ./jq
+            - run: curl -L -o jq https://github.com/jqlang/jq/releases/download/${{ env.JQ_VERSION }}/jq-linux-amd64 && chmod a+x ./jq
             - run: curl -L -o jwt-linux.tar.gz https://github.com/mike-engel/jwt-cli/releases/download/${{ env.JWT_CLI_VERSION }}/jwt-linux-musl.tar.gz && tar -xvzf ./jwt-linux.tar.gz && chmod a+x ./jwt
             - name: validate token generation works
               run: |
@@ -43,7 +44,7 @@ jobs:
                   WORKFLOW=$(echo $DECODED_JWT_BODY | ./jq -r '.workflow')
                   AUD=$(echo $DECODED_JWT_BODY | ./jq -r '.aud')
                   EVENT_NAME=$(echo $DECODED_JWT_BODY | ./jq -r '.event_name')
-                  SUB=$(echo $DECODED_JWT_BODY | ./jq -r -r '.sub')
+                  SUB=$(echo $DECODED_JWT_BODY | ./jq -r '.sub')
                   if [[ "$WORKFLOW" != "test.yml" ]]; then
                     echo "Error: WORKFLOW should be test.yml but is $WORKFLOW"
                     exit 1