ci(release): build release notes from CHANGELOG and harden version expansion

Ports the ScheduledTasksManager release-tooling improvements into the template so
every module scaffolded from it inherits them.

- Create GitHub Release: extract the published version's section from CHANGELOG.md
  and pass it via --notes-file (in pwsh), instead of --generate-notes. The latter
  lists every merged PR since the last release tag, which between version bumps is
  dominated by bot/CI/chore PRs and buries the actual user-facing changes. Includes
  a Full Changelog compare link and falls back to --generate-notes if a version has
  no changelog section (so a release is never blocked).
- Pass the version output via env (VERSION) in the 'Check if Release Exists',
  'Check if PSGallery Version Exists', and 'Create GitHub Release' steps instead of
  inlining ${{ steps.version.outputs.version }} into the run scripts. Inline
  template expansion is substituted into the script text before the shell runs (a
  template-injection vector zizmor/CodeRabbit flag); env vars are read at runtime.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: tablackburn

.github/workflows/PublishModuleToPowerShellGallery.yaml

@@ -54,21 +54,24 @@ jobs:
         shell: bash
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          if gh release view "v${{ steps.version.outputs.version }}" > /dev/null 2>&1; then
+          if gh release view "v$VERSION" > /dev/null 2>&1; then
             echo "exists=true" >> $GITHUB_OUTPUT
-            echo "GitHub release v${{ steps.version.outputs.version }} already exists"
+            echo "GitHub release v$VERSION already exists"
           else
             echo "exists=false" >> $GITHUB_OUTPUT
-            echo "GitHub release v${{ steps.version.outputs.version }} does not exist"
+            echo "GitHub release v$VERSION does not exist"
           fi
 
       - name: Check if PSGallery Version Exists
         id: check_psgallery
         if: steps.check_release.outputs.exists == 'false'
         shell: pwsh
+        env:
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          $version = "${{ steps.version.outputs.version }}"
+          $version = $env:VERSION
           $published = Find-Module -Name {{ModuleName}} -RequiredVersion $version -Repository PSGallery -ErrorAction SilentlyContinue
           if ($published) {
             Write-Host "PSGallery version $version already exists"
@@ -85,13 +88,45 @@ jobs:
 
       - name: Create GitHub Release
         if: steps.check_release.outputs.exists == 'false'
-        shell: bash
+        shell: pwsh
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+          REPOSITORY: ${{ github.repository }}
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          gh release create "v${{ steps.version.outputs.version }}" \
-            --title "v${{ steps.version.outputs.version }}" \
-            --generate-notes
+          $version = $env:VERSION
+
+          # Build release notes from this version's CHANGELOG.md section so the release
+          # body carries only the curated, user-facing entries (not the full PR list that
+          # --generate-notes produces, which is dominated by bot/CI/chore PRs).
+          $headerPattern = '^##\s+\[' + [regex]::Escape($version) + '\]'
+          $capturing = $false
+          $captured = [System.Collections.Generic.List[string]]::new()
+          foreach ($line in (Get-Content -LiteralPath './CHANGELOG.md')) {
+              if (-not $capturing) {
+                  if ($line -match $headerPattern) { $capturing = $true }
+                  continue
+              }
+              if ($line -match '^##\s+\[') { break }   # next version header ends the section
+              $captured.Add($line)
+          }
+          $body = ($captured -join "`n").Trim()
+
+          if ([string]::IsNullOrWhiteSpace($body)) {
+              Write-Host "::warning::No CHANGELOG.md section found for $version; falling back to auto-generated notes."
+              gh release create "v$version" --title "v$version" --generate-notes
+          }
+          else {
+              # Append a compare link against the most recent existing tag. The v$version
+              # tag does not exist yet (this step creates it), so the latest tag is the
+              # previous release.
+              $previousTag = git tag --list 'v*' --sort=-version:refname | Select-Object -First 1
+              if ($previousTag) {
+                  $body += "`n`n**Full Changelog**: https://github.com/$env:REPOSITORY/compare/$previousTag...v$version"
+              }
+              Set-Content -LiteralPath './release-notes.md' -Value $body -Encoding utf8
+              gh release create "v$version" --title "v$version" --notes-file './release-notes.md'
+          }
 
       - name: Publish to PSGallery
         if: steps.check_release.outputs.exists == 'false' && steps.check_psgallery.outputs.exists == 'false'