fix: sanitize repo path and add trailing newline in dependency updater

[Kewe63]

Summary

Enhances the security of the dependency updater, ensures POSIX compliance, and improves error handling.

Problem

• The tool was vulnerable to path traversal attacks via the --repo flag (CWE-22).
• The versions.env output file lacked a trailing newline, violating POSIX standards and causing issues with some tools.
• Error messages were using %s instead of %w, losing original error context for debugging.

Solution

• Implemented a security check to ensure the resolved repository path stays within the GITHUB_WORKSPACE directory.
• Added a trailing newline to the versions.env file generation.
• Switched to %w for all relevant error formatting.
• Refactored commit message generation to use a structured, professional template.

Verification

• Verified the security check blocks paths outside the workspace.
• Confirmed the trailing newline is present in the output.
• Verified error chaining works correctly.

Impact

Improves the security, reliability, and maintainability of the automated dependency update pipeline.

[cb-heimdall]

🟡 Heimdall Review Status

Requirement	Status	More Info
Reviews	🟡 0/1	Denominator calculation Show calculation 1 if user is bot 0 1 if user is external 0 2 if repo is sensitive 0 From .codeflow.yml 1 Additional review requirements Show calculation Max 0 0 From CODEOWNERS 0 Global minimum 0 Max 1 1 1 if commit is unverified 1 Sum 2