Electron Releases

Description of Change

Replaces direct ${{ }} expression interpolation in run: blocks with environment variables across GitHub Actions workflows and composite actions. This follows GitHub's security hardening guidelines to avoid patterns that automated security scanners (e.g. zizmor, CodeQL, OpenSSF Scorecard) flag as script injection risks.

None of these patterns are currently exploitable — they are either protected by GitHub's built-in fork PR protections, constrained input formats (e.g. SHA hashes, numeric IDs, GitHub usernames), or only called with hardcoded values. This PR is purely a best-practices cleanup to eliminate noisy scanner output and prevent future issues if these patterns are copied or modified.

Changes

• archaeologist-dig.yml: Move clone_url, head.sha, base.ref from ${{ }} interpolation to env: block with quoted shell variables
• non-maintainer-dependency-change.yml: Move user.login from inline sed interpolation to $PR_AUTHOR env var
• issue-unlabeled.yml: Move toJSON(labels) to $LABELS_JSON env var
• issue-labeled.yml: Move issue.number to $ISSUE_NUMBER env var
• pipeline-electron-lint.yml: Add hex-only format validation for chromium_revision before use in curl URLs
• cipd-install/action.yml: Move all ${{ inputs.* }} from inline interpolation to env: blocks with quoted shell references
• set-chromium-cookie/action.yml: Replace ${{ env.CHROMIUM_GIT_COOKIE }} with $CHROMIUM_GIT_COOKIE shell variable references
• 5 pull_request_target workflows: Add security comments warning against checking out PR head code

Notes: none