Fix shell injection vulnerability in release workflow

Resolves command injection vulnerability by using environment variables
instead of direct GitHub context interpolation in shell scripts.

This prevents potential malicious code injection through user-controlled
input in github.event_name and github.event.inputs.version.

Changes:
- Added env section with GH_EVENT_NAME and GH_INPUT_VERSION
- Updated shell script to reference environment variables
- Added proper quoting around variables

Fixes: https://linear.app/getsentry/issue/ENG-6554
Parent: https://linear.app/getsentry/issue/VULN-1163

Co-Authored-By: Claude Sonnet 4.5 <noreply@anthropic.com>

Author: fix-it-felix-sentry[bot]

.github/workflows/release.yml

@@ -58,14 +58,17 @@ jobs:
 
       - name: Get version from tag or input
         id: get_version
+        env:
+          GH_EVENT_NAME: ${{ github.event_name }}
+          GH_INPUT_VERSION: ${{ github.event.inputs.version }}
         run: |
-          if [ "${{ github.event_name }}" = "workflow_dispatch" ]; then
-            VERSION="${{ github.event.inputs.version }}"
+          if [ "$GH_EVENT_NAME" = "workflow_dispatch" ]; then
+            VERSION="$GH_INPUT_VERSION"
             echo "VERSION=$VERSION" >> $GITHUB_OUTPUT
             echo "IS_TEST=true" >> $GITHUB_OUTPUT
             echo "📝 Test version: $VERSION"
             # Update package.json version for test releases only
-            npm version $VERSION --no-git-tag-version
+            npm version "$VERSION" --no-git-tag-version
           else
             VERSION=${GITHUB_REF#refs/tags/v}
             echo "VERSION=$VERSION" >> $GITHUB_OUTPUT