Eliminate interpolation from workflows

[jakebailey]

None of these run with permissions except through manual invocation (and are all validated through the bot anyway), but it's good to not give analyzers the impression that something bad can happen here.

[Copilot]

Pull request overview

This PR enhances security in GitHub Actions workflows by eliminating direct interpolation of GitHub Actions expressions (${{ ... }}) within shell scripts. Instead, values are assigned to environment variables first, then referenced in shell code, preventing potential injection vulnerabilities.

Changes:

• Refactored all workflow files to use environment variables instead of direct expression interpolation
• Applied consistent quoting patterns for shell variable references
• Maintained identical functionality while improving security posture

Reviewed changes

Copilot reviewed 6 out of 6 changed files in this pull request and generated no comments.

Show a summary per file

File	Description
.github/workflows/set-version.yaml	Moved package_version and core_major_minor to env vars, updated sed commands and git commit message
.github/workflows/pr-modified-files.yml	Moved PR_NUMBER, PR_AUTHOR, and REPO to env vars, updated all gh CLI commands
.github/workflows/new-release-branch.yaml	Moved branch_name, package_version, and core_major_minor to env vars, updated sed commands and git operations
.github/workflows/lkg.yml	Moved branch_name to env var, updated branch name validation
.github/workflows/close-issues.yml	Moved REPO to env var, updated all gh issue commands
.github/workflows/ci.yml	Moved matrix.config.bundle and steps.pack.outputs.package to env vars, updated test and smoke test commands