fixup! Add --ref-format option to scalar clone (#829)

release-winget: use WINGET_CREATE_GITHUB_TOKEN environment variable

According to the winget-create documentation, for CI/CD scenarios it is
recommended to use the WINGET_CREATE_GITHUB_TOKEN environment variable
to pass the token to wingetcreate.exe rather than the -t command-line
flag.

The concern is that command-line arguments might be logged in process
listings, whereas environment variables are more secure as they are not
typically exposed in such listings.

This change:
- Retrieves the token from Azure Key Vault directly into the
  WINGET_CREATE_GITHUB_TOKEN environment variable using
  `az keyvault secret show` instead of downloading to a file
- Removes the -t flag from the wingetcreate.exe submit command
- Removes the need for the token.txt file

Co-authored-by: dscho <[email protected]>

Author: Copilot

.github/workflows/release-winget.yml

@@ -72,7 +72,7 @@ jobs:
                  "$($asset_arm64_url)|arm64|machine" `
                  "$($asset_arm64_url)|arm64|user"
 
-          # Download the token from Azure Key Vault and set the environment variable
+          # Download the token from Azure Key Vault and mask it in the logs
           $env:WINGET_CREATE_GITHUB_TOKEN = az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value" -o tsv
           Write-Host -NoNewLine "::add-mask::$env:WINGET_CREATE_GITHUB_TOKEN"