security(gha): fix potential for shell injection (#4099)

Running these workflows is gated pretty well, but this mitigates the
potential for a script injection attack by passing the input to an
intermediary environment variable first.

See
https://docs.github.com/en/actions/security-for-github-actions/security-guides/security-hardening-for-github-actions#example-of-a-script-injection-attack
for more details.

Author: mdtro

.github/workflows/release-comment-issues.yml

@@ -17,7 +17,10 @@ jobs:
     steps:
       - name: Get version
         id: get_version
-        run: echo "version=${{ github.event.inputs.version || github.event.release.tag_name }}" >> $GITHUB_OUTPUT
+        env:
+          INPUTS_VERSION: ${{ github.event.inputs.version }}
+          RELEASE_TAG_NAME: ${{ github.event.release.tag_name }}
+        run: echo "version=${$INPUTS_VERSION:-$RELEASE_TAG_NAME}" >> "$GITHUB_OUTPUT"
 
       - name: Comment on linked issues that are mentioned in release
         if: |
@@ -28,4 +31,4 @@ jobs:
         uses: getsentry/release-comment-issues-gh-action@v1
         with:
           github_token: ${{ secrets.GITHUB_TOKEN }}
-          version: ${{ steps.get_version.outputs.version }}
+          version: ${{ steps.get_version.outputs.version }}