Security: Fix untrusted input vulnerability in release workflow

[swlodarski-sumoheavy]

Security Fix: Prevent Command Injection in Release Workflow

Summary

This PR fixes a command injection vulnerability in the GitHub Actions release workflow by moving all untrusted inputs and GitHub context variables to environment variables.

Problem

The workflow was directly interpolating user inputs and GitHub context variables into shell commands, which could allow command injection attacks. Specifically:

• ${{ github.event.release.name }} - GitHub context variable
• ${{ github.event.release.body }} - GitHub context variable

Solution

All potentially untrusted values are now passed through environment variables before being used in shell commands. This ensures they are treated as literal strings rather than being evaluated as code.

Changes made:

1. Removed the intermediate extraction step that passed untrusted input through GITHUB_OUTPUT
2. Changed to use environment variables (RELEASE_TITLE, RELEASE_BODY) to safely pass GitHub event data
3. Updated script to reference environment variables instead of directly interpolating GitHub context expressions

Security Impact

This follows the security best practices outlined in the GitHub Security Lab advisory and prevents potential command injection through GitHub Actions expressions.

Testing

• Workflow syntax is valid
• No functional changes to workflow behavior
• All steps continue to work as expected