Prevent command injection when creating release notes (#1419)

If a merged PR title contains invalid strings, it could allow for shell
injection. It's best to address known problems promptly.

Author: Yang-33

.github/workflows/create-draft-release.yml

@@ -106,7 +106,8 @@ jobs:
             .concat(`\n\n${footer}`);
 
             console.log(`releaseNotes (modified): ${JSON.stringify(modifiedBody, null, 2)}`);
-            core.setOutput("release_body", modifiedBody);
+            const fs = require('fs');
+            fs.writeFileSync('release-notes.txt', modifiedBody, { encoding: 'utf8' });
 
       - name: Prepare Release Title
         id: title
@@ -118,10 +119,6 @@ jobs:
           SANITIZED_TITLE="$(printf '%s' "$RAW_TITLE" | sed 's/"/\\"/g')"
           echo "sanitized_title=$SANITIZED_TITLE" >> "$GITHUB_OUTPUT"
 
-      - name: Write Release Notes to File
-        run: |
-          echo "${{ steps.generate-release-notes.outputs.release_body }}" > release-notes.txt
-
       - name: Create Draft Release
         run: |
           gh release create "${{ steps.calculate-version.outputs.new_version }}" \

.github/workflows/test.yml

@@ -18,7 +18,7 @@ jobs:
           - '20'
           - '20.12.2'
           - '22'
-          - '24'
+          - '24.9.0'
       fail-fast: false
 
     name: Node.js ${{ matrix.node }}