fix(eks): remove usage of shell=True in helm commands (#35148)

Improve subprocess handling in EKS Helm custom resource handler.

Same PR as: #35141

### Reason for this change

The EKS Helm custom resource handler used `shell=True` with subprocess calls, which is not aligned with security best practices. Following Python's recommended approach for subprocess execution improves code robustness and follows secure coding guidelines.

### Description of changes

**Refactor subprocess execution to follow Python best practices**
https://docs.python.org/3/library/subprocess.html#replacing-shell-pipeline

- **Replaced shell command strings with array-based commands**: Refactored `get_oci_cmd()` to return structured command objects instead of shell strings
- **Implemented proper subprocess pipelines**: Used `Popen` with `PIPE` to chain `aws ecr get-login-password` and `helm registry login` commands following Python documentation recommendations
- **Removed `shell=True`**: Adopted array-based command execution as recommended by Python subprocess documentation
- **Maintained functionality**: Preserved all existing behavior for private ECR, public ECR, and fallback scenarios

**Files modified:**
- `packages/@aws-cdk/custom-resource-handlers/lib/aws-eks/kubectl-handler/helm/__init__.py`
- `packages/@aws-cdk/aws-eks-v2-alpha/lib/kubectl-handler/helm/__init__.py`
- `packages/@aws-cdk/aws-eks-v2-alpha/test/integ.alb-controller.js.snapshot/asset.*/helm/__init__.py`

**Technical approach:**
- Commands are now built as arrays: `['helm', 'pull', repository, '--version', version, '--untar']`
- Pipeline implementation follows Python subprocess best practices using `Popen` with proper `PIPE` connections
- User inputs are passed as separate array elements, ensuring proper argument handling

### Describe any new or updated permissions being added

No new IAM permissions required. The change maintains the same AWS API calls and functionality.

### Description of how you validated changes

- **Functionality testing**: Confirmed that ECR authentication and Helm chart pulling continues to work correctly for all scenarios
- **Code review**: Verified implementation follows Python subprocess best practices as documented in the Python documentation
- **Compatibility testing**: Ensured backward compatibility with existing CDK Helm chart deployments

### Checklist
- [x] My code adheres to the [CONTRIBUTING GUIDE](https://github.com/aws/aws-cdk/blob/main/CONTRIBUTING.md) and [DESIGN GUIDELINES](https://github.com/aws/aws-cdk/blob/main/docs/DESIGN_GUIDELINES.md)

----

*By submitting this pull request, I confirm that my contribution is made under the terms of the Apache-2.0 license*

Author: aemada-aws

packages/@aws-cdk-testing/framework-integ/test/aws-eks/.gitattributes

@@ -0,0 +1 @@
+*.zip filter=lfs diff=lfs merge=lfs -text

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/asset.c491874c6f9e547809cebf58ee410359efeaa16c82cafaf131b323fd1f502f2c/apply/__init__.py renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/asset.623f9dde2c765e8d16b1f59b011a5eea9e619043f8ced2ed316a7a6f03f5c9d4/apply/__init__.py

@@ -941,7 +941,7 @@
        {
         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
        },
-       "/9e5735ab13fb0ab98eb443d105c092608811daa53d367ae36289cca965add4c4.json"
+       "/1cf186b4d089119320de10437dfa334d7b9f08ff99f2c87633f28d225ac8e097.json"
       ]
      ]
     }
@@ -991,7 +991,7 @@
        {
         "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
        },
-       "/26a86baa1f7a7274bc43922caad22fa28546b8934343da72395fda351aa5f2aa.json"
+       "/03063b33cd0e6181b1deeeb06d2eb78f33ad4f71f39310976d3a81023e3cb72d.json"
       ]
      ]
     }

packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/asset.c491874c6f9e547809cebf58ee410359efeaa16c82cafaf131b323fd1f502f2c/get/__init__.py renamed to packages/@aws-cdk-testing/framework-integ/test/aws-eks/test/integ.alb-controller-authapi.js.snapshot/asset.623f9dde2c765e8d16b1f59b011a5eea9e619043f8ced2ed316a7a6f03f5c9d4/get/__init__.py

@@ -50,7 +50,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "75f7b6a23d8f39fbba91063166ea824a6b248a2b6eb9e9f6ce75ac58d33a1941.zip"
+     "S3Key": "fbe89680da6eb304bf1bd582d61bdb89d82c75c3b2f4c87040c9385af73b9299.zip"
     },
     "Description": "onEvent handler for EKS cluster resource provider",
     "Environment": {
@@ -123,7 +123,7 @@
      "S3Bucket": {
       "Fn::Sub": "cdk-hnb659fds-assets-${AWS::AccountId}-${AWS::Region}"
      },
-     "S3Key": "75f7b6a23d8f39fbba91063166ea824a6b248a2b6eb9e9f6ce75ac58d33a1941.zip"
+     "S3Key": "fbe89680da6eb304bf1bd582d61bdb89d82c75c3b2f4c87040c9385af73b9299.zip"
     },
     "Description": "isComplete handler for EKS cluster resource provider",
     "Environment": {