fix(ci): harden release-proposal-dispatch against untrusted main_start_ref

[iunanua]

What does this PR do?

Harden release-proposal-dispatch against untrusted main_start_ref

Block three privilege-escalation paths for an authorised release operator who selects an attacker-controlled main_start_ref:

• Reject refs/pull/* and require the resolved commit be reachable from origin/main or the matching origin/hotfix/<crate>/N.x.x branch.
• Reject pre-release-hook / pre-release-replacements anywhere in the checked-out Cargo.toml / release.toml, since cargo-release would execute them with the job's OIDC mint capability.
• Move inputs.main_start_ref from inline template expansion into an env: mapping on the ephemeral-branch step to close a shell-injection sink.

Also extract the hotfix branch regex into HOTFIX_REF_PATTERN at workflow level so all three call sites stay in sync.

[datadog-datadog-prod-us1-2]

🎉 All green!

🧪 All tests passed
❄️ No new flaky tests detected

🎯 Code Coverage (details)
• Patch Coverage: 100.00%
• Overall Coverage: 72.84% (-0.02%)

_{This comment will be updated automatically if new data arrives.
🔗 Commit SHA: a710531 | Docs | Datadog PR Page | Give us feedback!}

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 93f0b9d356

ℹ️ About Codex in GitHub

Codex has been enabled to automatically review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

When you sign up for Codex through ChatGPT, Codex can also answer questions or update the PR, like "@codex address that feedback".

[codecov-commenter]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 72.83%. Comparing base (e268076) to head (a710531).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #2045      +/-   ##
==========================================
- Coverage   72.86%   72.83%   -0.03%     
==========================================
  Files         459      459              
  Lines       76134    76134              
==========================================
- Hits        55472    55453      -19     
- Misses      20662    20681      +19     

Components	Coverage Δ
libdd-crashtracker	65.21% <ø> (-0.03%)	⬇️
libdd-crashtracker-ffi	36.82% <ø> (ø)
libdd-alloc	98.77% <ø> (ø)
libdd-data-pipeline	85.60% <ø> (ø)
libdd-data-pipeline-ffi	75.70% <ø> (ø)
libdd-common	79.89% <ø> (ø)
libdd-common-ffi	74.41% <ø> (ø)
libdd-telemetry	73.37% <ø> (+0.02%)	⬆️
libdd-telemetry-ffi	31.36% <ø> (ø)
libdd-dogstatsd-client	82.64% <ø> (ø)
datadog-ipc	76.17% <ø> (-0.05%)	⬇️
libdd-profiling	81.69% <ø> (-0.02%)	⬇️
libdd-profiling-ffi	64.79% <ø> (ø)
libdd-sampling	97.46% <ø> (ø)
datadog-sidecar	29.19% <ø> (-0.02%)	⬇️
datdog-sidecar-ffi	10.17% <ø> (ø)
spawn-worker	48.86% <ø> (ø)
libdd-tinybytes	93.80% <ø> (ø)
libdd-trace-normalization	81.71% <ø> (ø)
libdd-trace-obfuscation	87.30% <ø> (ø)
libdd-trace-protobuf	68.25% <ø> (ø)
libdd-trace-utils	88.83% <ø> (ø)
libdd-tracer-flare	86.88% <ø> (ø)
libdd-log	74.83% <ø> (ø)

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[dd-octo-sts]

Artifact Size Benchmark Report

aarch64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.a	82.94 MB	82.94 MB	0% (0 B) 👌
/aarch64-alpine-linux-musl/lib/libdatadog_profiling.so	7.63 MB	7.63 MB	0% (0 B) 👌

aarch64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.a	94.02 MB	94.02 MB	0% (0 B) 👌
/aarch64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.25 MB	10.25 MB	0% (0 B) 👌

libdatadog-x64-windows

Artifact	Baseline	Commit	Change
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.dll	24.54 MB	24.54 MB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.lib	83.96 KB	83.96 KB	0% (0 B) 👌
/libdatadog-x64-windows/debug/dynamic/datadog_profiling_ffi.pdb	178.25 MB	178.26 MB	+0% (+8.00 KB) 👌
/libdatadog-x64-windows/debug/static/datadog_profiling_ffi.lib	915.25 MB	915.25 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.dll	8.03 MB	8.03 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.lib	83.96 KB	83.96 KB	0% (0 B) 👌
/libdatadog-x64-windows/release/dynamic/datadog_profiling_ffi.pdb	23.77 MB	23.77 MB	0% (0 B) 👌
/libdatadog-x64-windows/release/static/datadog_profiling_ffi.lib	47.43 MB	47.43 MB	0% (0 B) 👌

libdatadog-x86-windows

Artifact	Baseline	Commit	Change
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.dll	21.27 MB	21.27 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.lib	85.29 KB	85.29 KB	0% (0 B) 👌
/libdatadog-x86-windows/debug/dynamic/datadog_profiling_ffi.pdb	182.21 MB	182.21 MB	0% (0 B) 👌
/libdatadog-x86-windows/debug/static/datadog_profiling_ffi.lib	908.37 MB	908.37 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.dll	6.20 MB	6.20 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.lib	85.29 KB	85.29 KB	0% (0 B) 👌
/libdatadog-x86-windows/release/dynamic/datadog_profiling_ffi.pdb	25.48 MB	25.48 MB	0% (0 B) 👌
/libdatadog-x86-windows/release/static/datadog_profiling_ffi.lib	45.07 MB	45.07 MB	0% (0 B) 👌

x86_64-alpine-linux-musl

Artifact	Baseline	Commit	Change
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.a	73.95 MB	73.95 MB	0% (0 B) 👌
/x86_64-alpine-linux-musl/lib/libdatadog_profiling.so	8.52 MB	8.52 MB	0% (0 B) 👌

x86_64-unknown-linux-gnu

Artifact	Baseline	Commit	Change
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.a	89.36 MB	89.36 MB	0% (0 B) 👌
/x86_64-unknown-linux-gnu/lib/libdatadog_profiling.so	10.36 MB	10.36 MB	0% (0 B) 👌