fix(ci): avoid shell interpolation of release tags

[chaliy]

Motivation

• Prevent command injection where ${{ inputs.release_tag }} and github.event.release.tag_name were interpolated directly into a run: shell block for manual workflow_dispatch, which could allow crafted tag names to execute commands before cargo publish.

Description

• Move github.event_name, inputs.release_tag, and github.event.release.tag_name into the step env as EVENT_NAME, INPUT_RELEASE_TAG, and RELEASE_TAG_NAME in .github/workflows/publish.yml.
• Read those environment variables inside the run: script instead of embedding GitHub expressions into shell source, preserving the existing version verification and cargo publish behavior.

Testing

• Attempted to rebase on origin/main locally but it failed because no origin remote is configured in this environment.
• No unit or integration tests were changed or required for this workflow-only fix; CI will validate the workflow and run the repository test suite after merge.

---

Codex Task

[Copilot]

Pull request overview

This PR hardens the publish workflow by avoiding direct interpolation of release tag values into shell script source during version verification.

Changes:

• Moves GitHub Actions context values into step-level environment variables.
• Reads release tag values from quoted shell variables before comparing them to Cargo.toml.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.