fixup! Adding winget workflows

According to the winget-create documentation, for CI/CD scenarios it is
recommended to use the WINGET_CREATE_GITHUB_TOKEN environment variable
to pass the token to wingetcreate.exe rather than the -t command-line
flag.

The concern is that command-line arguments might be logged in process
listings, whereas environment variables are more secure as they are not
typically exposed in such listings.

This is not so much a concern in our use case, because we diligently
mask out the secret value from the logs.

Co-authored-by: Johannes Schindelin <johannes.schindelin@gmx.de>

Author: Copilot

.github/workflows/release-winget.yml

@@ -73,12 +73,12 @@ jobs:
                  "$($asset_arm64_url)|arm64|user"
 
           # Download the token from Azure Key Vault and mask it in the logs
-          az keyvault secret download --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --file token.txt
-          Write-Host -NoNewLine "::add-mask::$(Get-Content token.txt)"
+          $env:WINGET_CREATE_GITHUB_TOKEN = az keyvault secret show --name ${{ secrets.WINGET_TOKEN_SECRET_NAME }} --vault-name ${{ secrets.AZURE_VAULT }} --query "value" -o tsv
+          Write-Host -NoNewLine "::add-mask::$env:WINGET_CREATE_GITHUB_TOKEN"
 
           # Submit the manifest to the winget-pkgs repository
           $manifestDirectory = "$PWD\manifests\m\Microsoft\Git\$version"
-          $output = & .\wingetcreate.exe submit -t "$(Get-Content token.txt)" $manifestDirectory
+          $output = & .\wingetcreate.exe submit $manifestDirectory
           Write-Host $output
           $url = ($output | Select-String -Pattern 'https://\S+' | ForEach-Object { $_.Matches.Value })[0]
           Write-Host "::notice::Submitted ${env:TAG_NAME} to winget as $url"