ci: Quote Github variable expansion.

This prevents tag names from injecting Bash commands into the release note creation step.

Author: seifertm

.github/workflows/main.yml

@@ -155,7 +155,7 @@ jobs:
       if: github.event_name == 'push' && contains(github.ref, 'refs/tags/')
       run: |
         set -e
-        git for-each-ref ${{ github.ref }} --format='%(contents)' > release-notes.rst
+        git for-each-ref "${{ github.ref }}" --format='%(contents)' > release-notes.rst
         # Strip PGP signature from signed tags
         sed -i "/-----BEGIN PGP SIGNATURE-----/,/-----END PGP SIGNATURE-----\n/d" release-notes.rst
     - name: Convert Release Notes to Markdown