Harden release.yml workflow

Prevent shell injection in this workflow by capturing the update type as
an environment variable and using the environment variable. This way, the
expansion of the input in the command can't result in shell injection.

Yes, this particular case is not very vulnerable due to 1) limited value
space, and 2) trusted triggers. However, it's hard to guarantee those
variables stay fixed and simple to apply the fix.

This problem was detected by Semgrep (https://semgrep.dev) using a full-
repository scan.

Author: ericcornelissen

.github/workflows/release.yml

@@ -47,7 +47,9 @@ jobs:
           app_id: ${{ secrets.RELEASE_APP_ID }}
           private_key: ${{ secrets.RELEASE_APP_PRIVATE_KEY }}
       - name: Bump version
-        run: node scripts/bump-version.js '${{ github.event.inputs.update_type }}'
+        env:
+          UPDATE_TYPE: ${{ github.event.inputs.update_type }}
+        run:  node scripts/bump-version.js "$UPDATE_TYPE"
       - name: Update the changelog
         run: node scripts/bump-changelog.js
       - name: Create Pull Request