Avoid running malicious inputs as shell commands in Custom GitHub actions and relate workflows

[eason9487]

Changes proposed in this Pull Request:

This PR avoids running malicious inputs as shell commands in the GitHub Actions.

Although the most input values are entered by devs who have access to their repo, which means it's almost unlikely to be vulnerable to such attacks, it would be better to fix it.

Ref: https://securitylab.github.com/research/github-actions-untrusted-input/

Detailed test instructions:

📌 Workflows for managing test build

1. View the run result of "Create Test Build"
2. View the run result of "Delete Test Build"

📌 automerge-released-trunk action

I don't prepare a test for this as it uses the same fix as https://github.com/woocommerce/google-listings-and-ads/pull/2394

📌 eslint-annotation and stylelint-annotation actions

1. View the test workflow run used fixed eslint-annotation and stylelint-annotation actions
   • This run failed on purpose to test if it can report JS and CSS linting errors
2. View linting annotations in the test PR

📌 prepare-extension-release action

1. View the test workflow run used fixed action
2. View the new release PR created by this action

📌 merge-trunk-develop-pr actions

1. View the test workflow run used fixed action
2. View the merging back PR created by this action

📌 prepare-node and prepare-php actions

1. View the run result of "Create Test Build" as it also use the prepare-node action.
2. The prepare-php action uses the same fix so I believe it should work as well.

📌 run-qit-annotate action

1. View the commit 3393d60b679bdb01ea891a3f49f36c9a9b3ccdb1 triggered a workflow run to validate the run-qit-annotate action of this PR
2. View the result of the test workflow run

[eason9487]

I will be merging this PR in about 3 hours if it's not moved to the in-review status as code review can be optional for a devs-facing only change.