fix(ci): harden release workflow inputs

[gilescope]

Motivation

• A user-controlled runtime-tag-release / suffix value was being interpolated directly into run: shell blocks, allowing shell metacharacters to be expanded before the shell runs and enabling command injection in privileged release jobs.
• The goal is to eliminate pre-shell expression interpolation and validate inputs so only safe characters are used for generated filenames and tags.

Description

• Add allowlist validation for the top-level suffix in .github/workflows/release-image.yml and for runtime-tag-release in .github/workflows/srtool-build.yml to permit only letters, numbers, dots, underscores, and hyphens.
• Stop embedding ${{ ... }} expressions directly inside run: scripts by exporting derived srtool WASM filenames into environment variables (WASM_FILE, COMPACT_WASM_FILE, COMPRESSED_WASM_FILE) and then referencing those shell variables inside the run: blocks.
• Move matrix.platform usages into env: PLATFORM: ${{ matrix.platform }} and use $PLATFORM inside run: blocks so no ${{ ... }} expressions appear in shell scripts.
• Update checksum generation, artifact upload, and related steps to use the safe environment variables and preserve existing attestation/upload functionality.

Testing

• Parsed both modified workflows with Ruby YAML (YAML.load_file) to ensure syntactic validity, which succeeded.
• Ran a Python run-block scanner that verifies no ${{ ... }} GitHub expressions remain inside run: blocks for the touched workflows, which succeeded.
• Executed a Bash regex unit check confirming allowed example suffixes/tags are accepted and malicious payloads with shell metacharacters are rejected, which succeeded.
• Ran git diff --check to ensure no whitespace or diff issues, which succeeded, and noted actionlint was not available in the environment so full linting could not be run locally.

---

Codex Task