ci(release_apps): fix zizmor error

[Boshen]

No description provided.

[graphite-app]

How to use the Graphite Merge Queue

Add either label to this PR to merge it via the merge queue:

• 0-merge - adds this PR to the back of the merge queue
• hotfix - for urgent hot fixes, skip the queue and merge this PR next

You must have a Graphite account in order to use the merge queue. Sign up using this link.

An organization admin has enabled the Graphite Merge Queue in this repository.

Please do not merge from GitHub as this will restart CI on PRs being processed by the merge queue.

[Boshen]

Merge activity

• Nov 11, 10:54 AM UTC: The merge label '0-merge' was detected. This PR will be added to the Graphite merge queue once it meets the requirements.
• Nov 11, 11:03 AM UTC: Boshen added this pull request to the Graphite merge queue.
• Nov 11, 11:08 AM UTC: Merged by the Graphite merge queue.

[Copilot]

Pull Request Overview

This PR addresses security warnings from zizmor by refactoring GitHub Actions workflow expressions to use environment variables instead of inline interpolation, and adding a suppression comment for a false positive.

• Replaced inline ${{ }} expressions in shell scripts with environment variables to prevent potential injection attacks
• Added zizmor ignore comment for a false positive warning about trusted publishing

Reviewed Changes

Copilot reviewed 2 out of 2 changed files in this pull request and generated no comments.

File	Description
.github/workflows/release_apps.yml	Converted inline GitHub expressions to environment variables in the changelog generation step
.github/workflows/prepare_release_crates.yml	Added zizmor ignore comment for dry-run command that doesn't require trusted publishing

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.