Fix: Add path sanitization for api_environment to prevent path traversal

[K1nakoo]

What does this PR do?

This PR introduces a strict regex validation for the api_environment variable (populated via CLI arguments or AIRFLOW_CLI_ENVIRONMENT) within the Credentials class of airflowctl.

Why is this needed?

Currently, the environment name is directly passed to os.path.join(default_config_dir, f"{self.api_environment}.json") without any sanitization.
While airflowctl is a client tool, it is frequently executed in automated CI/CD pipelines where the environment variable might be populated dynamically (e.g., from a Git branch name or GitHub Actions runner). If an untrusted input containing directory traversal sequences (like ../../../tmp/evil) is passed, it could unintentionally write .json files outside the target configuration directory, leading to potential CI pipeline configuration overrides.

This patch enforces a Defense-in-Depth approach, ensuring that only valid, safe alphanumeric names (including dashes, periods, and underscores) are processed, completely mitigating the risk of path traversal.

Testing done

• Verified that valid environment names (e.g., production, dev.env-1) work as expected.
• Verified that providing a traversal payload (e.g., ../evil) correctly raises a ValueError and halts execution before any file system operations occur.

---

Was generative AI tooling used to co-author this PR?

• Yes (Gemini)

Generated-by: Gemini following the guidelines

[boring-cyborg]

Congratulations on your first Pull Request and welcome to the Apache Airflow community! If you have any issues or are unsure about any anything please check our Contributors' Guide (https://github.com/apache/airflow/blob/main/contributing-docs/README.rst)
Here are some useful points:

• Pay attention to the quality of your code (ruff, mypy and type annotations). Our prek-hooks will help you with that.
• In case of a new feature add useful documentation (in docstrings or in docs/ directory). Adding a new operator? Check this short guide Consider adding an example DAG that shows how users should use it.
• Consider using Breeze environment for testing locally, it's a heavy docker but it ships with a working Airflow and a lot of integrations.
• Be patient and persistent. It might take some time to get a review or get the final approval from Committers.
• Please follow ASF Code of Conduct for all communication including (but not limited to) comments on Pull Requests, Mailing list and Slack.
• Be sure to read the Airflow Coding style.
• Always keep your Pull Requests rebased, otherwise your build might fail due to changes not related to your commits.
  Apache Airflow is a community-driven project and together we are making it better 🚀.
  In case of doubts contact the developers at:
  Mailing List: dev@airflow.apache.org
  Slack: https://s.apache.org/airflow-slack

[Srabasti]

Congratulations on your first PR @kianelbo !!
Line 165 needs double quotes " instead of single quotes ' causing static checks to fail.
Please run prek locally in your branch and then push changes to repo.

[K1nakoo]

What? who is that haha . But thank you so much for the review and the warm welcome, @Srabasti! 🎉