fixup! Add --ref-format option to scalar clone (#829)

release-winget: use WINGET_CREATE_GITHUB_TOKEN environment variable

According to the winget-create documentation, for CI/CD scenarios it is
recommended to use the WINGET_CREATE_GITHUB_TOKEN environment variable
to pass the token to wingetcreate.exe rather than the -t command-line
flag.

The concern is that command-line arguments might be logged in process
listings, whereas environment variables are more secure as they are not
typically exposed in such listings.

This change:
- Retrieves the token from Azure Key Vault directly into a variable
  using `az keyvault secret show` instead of downloading to a file
- Sets the WINGET_CREATE_GITHUB_TOKEN environment variable
- Removes the -t flag from the wingetcreate.exe submit command
- Removes the need for the token.txt file

Co-authored-by: dscho <[email protected]>

Author: Copilot

.github/workflows/release-winget.yml

@@ -27,8 +27,7 @@ jobs:
           tenant-id: ${{ secrets.AZURE_TENANT_ID }}
           subscription-id: ${{ secrets.AZURE_SUBSCRIPTION_ID }}
 
-      - name: Create manifests with winget-create
-        id: manifests
+      - name: Publish manifest with winget-create
         run: |
           # Enabling stop on error and tracing
           Set-PSDebug -Trace 2
@@ -73,30 +72,12 @@ jobs:
                  "$($asset_arm64_url)|arm64|machine" `
                  "$($asset_arm64_url)|arm64|user"
 
-          # Output the version and tag name for use in the next step
-          "version=$version" >> $env:GITHUB_OUTPUT
-          "tag_name=$env:TAG_NAME" >> $env:GITHUB_OUTPUT
-        shell: powershell
-
-      - name: Retrieve winget token
-        id: token
-        run: |
-          $token = az keyvault secret show `
-            --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} `
-            --vault-name ${{ secrets.AZURE_VAULT }} `
-            --query "value" -o tsv
-          if ([string]::IsNullOrWhiteSpace($token)) {
-            throw "Failed to retrieve token from Azure Key Vault"
-          }
-          Write-Host -NoNewLine "::add-mask::$token"
-          "result=$token" >> $env:GITHUB_OUTPUT
-        shell: powershell
+          # Download the token from Azure Key Vault and set the environment variable
+          $env:WINGET_CREATE_GITHUB_TOKEN = az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value" -o tsv
+          Write-Host -NoNewLine "::add-mask::$env:WINGET_CREATE_GITHUB_TOKEN"
 
-      - name: Submit manifest to winget-pkgs
-        run: |
-          $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\${{ steps.manifests.outputs.version }}"
-          Write-Host -NoNewLine "::notice::Submitting ${{ steps.manifests.outputs.tag_name }} to winget... "
+          # Submit the manifest to the winget-pkgs repository
+          $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\$version"
+          Write-Host -NoNewLine "::notice::Submitting ${env:TAG_NAME} to winget... "
           .\wingetcreate.exe submit $manifestDirectory
         shell: powershell
-        env:
-          WINGET_CREATE_GITHUB_TOKEN: ${{ steps.token.outputs.result }}