fix: release notification secrets context and script injection (#50)

* fix: release notification — secrets context and script injection

- Move secrets check from job-level if to step-level env (secrets
  context is not available in jobs.<id>.if — only github, inputs,
  needs, and vars are allowed)
- Pass release event data via env variables instead of direct ${{ }}
  interpolation in run block to prevent script injection
- Skip Slack post if no message was built

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

* fix: build full JSON payload in shell to prevent JSON injection

Use jq to build the Slack payload JSON in the shell step instead of
interpolating untrusted values into the payload block. This ensures
release names with quotes or backslashes produce valid JSON.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

---------

Co-authored-by: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: abhizipstack

.github/workflows/release-notification.yml

@@ -7,23 +7,24 @@ on:
 jobs:
   notify:
     runs-on: ubuntu-latest
-    if: ${{ secrets.SLACK_WEBHOOK_URL != '' }}
     steps:
-      - name: Build Slack message
+      - name: Build Slack payload
         id: message
+        if: ${{ env.SLACK_WEBHOOK_URL != '' }}
         env:
+          SLACK_WEBHOOK_URL: ${{ secrets.SLACK_WEBHOOK_URL }}
           TAG: ${{ github.event.release.tag_name }}
           RELEASE_NAME: ${{ github.event.release.name }}
           URL: ${{ github.event.release.html_url }}
         run: |
-          echo "text=🚀 *Visitran ${TAG}* released! ${RELEASE_NAME} <${URL}|View Release Notes>" >> "$GITHUB_OUTPUT"
+          TEXT=$(printf '🚀 *Visitran %s* released! %s <%s|View Release Notes>' "$TAG" "$RELEASE_NAME" "$URL")
+          PAYLOAD=$(jq -nc --arg text "$TEXT" '{"text": $text}')
+          echo "payload=$PAYLOAD" >> "$GITHUB_OUTPUT"
 
       - name: Post to Slack
+        if: ${{ steps.message.outputs.payload != '' }}
         uses: slackapi/slack-github-action@v2.1.0
         with:
           webhook: ${{ secrets.SLACK_WEBHOOK_URL }}
           webhook-type: incoming-webhook
-          payload: |
-            {
-              "text": "${{ steps.message.outputs.text }}"
-            }
+          payload: ${{ steps.message.outputs.payload }}