fix(security): prevent command injection in GitHub Actions workflows

- Use environment variables instead of direct interpolation for user inputs
- Add proper quoting for environment variables in shell commands
- Fix create-release.yml: use INPUT_VERSION env var for inputs.version
- Fix retry-workflow.yml: use RUN_ID env var for inputs.run_id

Resolves high-severity security vulnerability in workflow variable interpolation

Author: kevinmessiaen

.github/workflows/create-release.yml

@@ -28,8 +28,10 @@ jobs:
           exit 1
 
       - name: Write release version env vars (with/without v)
+        env:
+          INPUT_VERSION: ${{ inputs.version }}
         run: |
-          VERSION_NAME="v${{ inputs.version }}"
+          VERSION_NAME="v$INPUT_VERSION"
           VERSION_NUMBER="${VERSION_NAME:1}"
           echo "VERSION_NUMBER=${VERSION_NUMBER}" >> $GITHUB_ENV
           echo "VERSION_NAME=${VERSION_NAME}" >> $GITHUB_ENV

.github/workflows/retry-workflow.yml

@@ -14,6 +14,7 @@ jobs:
         env:
           GH_REPO: ${{ github.repository }}
           GH_TOKEN: ${{ github.token }}
+          RUN_ID: ${{ inputs.run_id }}
         run: |
-          gh run watch ${{ inputs.run_id }} > /dev/null 2>&1
-          gh run rerun ${{ inputs.run_id }} --failed
+          gh run watch "$RUN_ID" > /dev/null 2>&1
+          gh run rerun "$RUN_ID" --failed