Security: Fix untrusted input vulnerability in release workflow - 8.0.x

[swlodarski-sumoheavy]

Security Fix: Prevent Command Injection in Release Workflow

Summary

This PR fixes a command injection vulnerability in the GitHub Actions release workflow by moving all untrusted inputs and GitHub context variables to environment variables.

Problem

The workflow was directly interpolating user inputs and GitHub context variables into shell commands, which could allow command injection attacks. Specifically:

• ${{ github.event.inputs.bump }} - User-controlled workflow input
• ${{ github.event.inputs.overview }} - User-controlled workflow input
• ${{ github.ref_name }} - GitHub context variable
• ${{ github.repository }} - GitHub context variable
• ${{ steps.version.outputs.version }} - Step output used in shell commands
• ${{ steps.release_data.outputs.title }} - Step output used in shell commands
• ${{ steps.release_data.outputs.body }} - Step output used in shell commands

Solution

All potentially untrusted values are now passed through environment variables before being used in shell commands. This ensures they are treated as literal strings rather than being evaluated as code.

Changes made:

1. Push version bump and tag - Moved BUMP_TYPE and REF_NAME to env vars
2. Get merged PR titles - Moved RELEASE_OVERVIEW, REF_NAME, and REPOSITORY to env vars
3. Create GitHub release - Moved VERSION and RELEASE_NOTES to env vars
4. Extract release data - Moved VERSION to env var
5. Publish changelog - Moved RELEASE_TITLE and RELEASE_BODY to env vars

Security Impact

This follows the security best practices outlined in the GitHub Security Lab advisory and prevents potential command injection through GitHub Actions expressions.

Testing

• Workflow syntax is valid
• No functional changes to workflow behavior
• All steps continue to work as expected