fix: prevent script injection in tag-on-merge workflow

Use environment variable instead of direct interpolation of
github.event.pull_request.head.ref to prevent command injection.

Author: markussiebert

.github/workflows/tag-on-merge.yml

@@ -23,8 +23,9 @@ jobs:
 
       - name: Extract version from branch name
         id: version
+        env:
+          BRANCH_NAME: ${{ github.event.pull_request.head.ref }}
         run: |
-          BRANCH_NAME="${{ github.event.pull_request.head.ref }}"
           VERSION=${BRANCH_NAME#release/}
           echo "version=$VERSION" >> $GITHUB_OUTPUT