… 8.0.0"" (#1929)

Revert "Revert "build(deps): bump actions/github-script from 7.0.1 to 8.0.0" …"

This reverts commit 87d39f4.

* chore(release): 5.5.4

* chore(release): 6.0.0

* fix: small fixes

---------

Co-authored-by: Tom Hu <tomhu1096@gmail.com>

Replace direct ${{ inputs.skip_validation }}, ${{ inputs.use_oidc }},
${{ inputs.token }}, and ${{ env.CODECOV_TOKEN }} interpolation inside
run: shell scripts with env-var indirection. GitHub Actions resolves
template expressions before the shell sees the script, so any consumer
workflow that passes user-controlled data into these inputs could
achieve arbitrary command execution on the runner. Moving the values
into env: entries and referencing them as $INPUT_* shell variables
ensures the shell always treats them as data, not code.