Fix template injection vulnerability in signing-event action

Use environment variable instead of direct template expansion to prevent
code injection via inputs.base-branch parameter

Author: kipz

actions/signing-event/action.yml

@@ -35,9 +35,11 @@ runs:
         persist-credentials: true
 
     - id: detect-base-branch
+      env:
+        INPUT_BASE_BRANCH: ${{ inputs.base-branch }}
       run: |
-        if [ -n "${{ inputs.base-branch }}" ]; then
-          echo "base-branch=${{ inputs.base-branch }}" >> $GITHUB_OUTPUT
+        if [ -n "$INPUT_BASE_BRANCH" ]; then
+          echo "base-branch=$INPUT_BASE_BRANCH" >> $GITHUB_OUTPUT
         else
           # Try to auto-detect default branch
           BASE_BRANCH=$(git symbolic-ref refs/remotes/origin/HEAD 2>/dev/null | sed 's@^refs/remotes/origin/@@' || echo "main")