fix: resolve litellm CVEs, deduplicate jwt expiry check, fix GH Actions shell injection

[aashishkumar-tech]

Closes #1485

Changes

Fix 1 — litellm upper bound (pyproject.toml)

• Removed <1.82.6 upper bound on litellm dependency
• Allows pip to resolve litellm 1.87.0+ which contains patches for 7 CVEs:
  CVE-2026-35029, CVE-2026-35030, GHSA-69x8-hrgq-fjj8, CVE-2026-42203,
  CVE-2026-42208, CVE-2026-42271, CVE-2026-40217

Fix 2 — Deduplicate jwt expiry check

• Created shared utility guardrails/hub_token/utils.py with client_check_token_expiry()
• Uses manual base64 decode of exp claim instead of jwt.decode(verify_signature=False)
• Removes the unverified-signature pattern from both hub_client.py and token.py
• Added 4 unit tests in tests/unit_tests/hub/test_jwt_expiry.py

Fix 3 — GitHub Actions shell injection

• Moved all 4 ${{ inputs.* }} interpolations in validator_pypi_publish/action.yml to env: blocks
• Shell references them as environment variables instead of inline interpolation
• Prevents potential secret masking bypass via transformations

[vercel]

@aashishkumar-tech is attempting to deploy a commit to the Guardrails AI Team on Vercel.

A member of the Team first needs to authorize it.