fix: prevent command injection in npm_update_latest_prefect workflow

[ColeMurray]

Summary

• Use environment variables instead of direct expression interpolation for workflow inputs in shell commands
• Prevents potential command injection if input values contain shell metacharacters

Context

The npm_update_latest_prefect.yaml workflow was using ${{ inputs.package_name }} and ${{ inputs.package_version }} directly in shell run commands. This pattern can allow command injection because the expressions are interpolated before the shell executes, meaning special characters in the inputs could be interpreted as shell commands.

This change moves the inputs to environment variables, which are safely handled as string values by the shell.