Complete code injection fix by removing remaining GitHub expression in shell script

[Copilot]

Addresses review feedback on PR #117 - the original fix migrated RELEASE_VERSION to an environment variable but left steps.create_release.outputs.url directly interpolated in the shell script.

Changes:

• Map steps.create_release.outputs.url to RELEASE_URL environment variable
• Reference via $RELEASE_URL in echo statement instead of ${{ ... }} expression

Before:

- name: Release complete
  env:
    RELEASE_VERSION: ${{ steps.version.outputs.version }}
  run: |
    echo "Version: v$RELEASE_VERSION"
    echo "Release URL: ${{ steps.create_release.outputs.url }}"

After:

- name: Release complete
  env:
    RELEASE_VERSION: ${{ steps.version.outputs.version }}
    RELEASE_URL: ${{ steps.create_release.outputs.url }}
  run: |
    echo "Version: v$RELEASE_VERSION"
    echo "Release URL: $RELEASE_URL"

This completes the pattern of keeping GitHub expressions in env: declarations while using native shell variable expansion in run: blocks, eliminating CodeQL's code injection alert.

---

💡 You can make Copilot smarter by setting up custom instructions, customizing its development environment and configuring Model Context Protocol (MCP) servers. Learn more Copilot coding agent tips in the docs.

[Copilot]

Copilot wasn't able to review any files in this pull request.