Stop interpolating release analyzer workflow inputs into shell commands

[petrmarinec]

Summary

The release analyzer workflow interpolates workflow_dispatch string inputs directly into the shell command used in run:. Shell metacharacters in start_tag or end_tag are parsed by bash before Python starts.

Affected code

• .github/workflows/analyze-releases-for-adk-docs-updates.yml

Problem

The workflow currently expands inputs like this inside run::
${{ github.event.inputs.start_tag && format('--start-tag {0}', github.event.inputs.start_tag) || '' }}

A value such as v1.0.0; touch /tmp/proof # becomes part of the shell command line and executes as an additional command.

Expected behavior

Workflow inputs should be treated as data and passed to Python without shell interpretation.

Proposed fix

Move the dispatch inputs into environment variables and build the Python argument list in bash using an array before invoking the analyzer.

Validation

I have a PR prepared that:

• removes direct interpolation of start_tag and end_tag into run:
• passes the values through environment variables and a bash array
• reproduces command execution with the pre-patch rendered command in Linux Docker
• confirms the patched form passes the malicious value as a single argv element and does not create the proof file