fix(release): correct OSS credentials lifetime and mirror probe fallback

- release.yml: remove `trap EXIT` inside the Configure step; it deleted
  ${RUNNER_TEMP}/.ossutilconfig as soon as the configure shell exited,
  so every subsequent step (publish/sync/verify) lost the credentials.
  Move credential cleanup to a final `if: always()` step at the job tail.
- install-qwen-standalone.sh: drop the predictable PID-based mktemp -d
  fallback in race_mirror_head; if mktemp fails, return "github" instead
  of using /tmp/qwen-mirror.$$ which a local attacker could pre-create
  to bias mirror selection.

scripts/installation/install-qwen-standalone.sh

@@ -682,8 +682,13 @@ race_mirror_head() {
     local gh_url="$2"
     local oss_url="$3"
     local tmpdir
-    tmpdir=$(mktemp -d -t qwen-mirror.XXXXXX 2>/dev/null) || tmpdir="/tmp/qwen-mirror.$$"
-    mkdir -p "${tmpdir}" 2>/dev/null || true
+    if ! tmpdir=$(mktemp -d -t qwen-mirror.XXXXXX 2>/dev/null); then
+        # Refuse to fall back to a predictable PID-based path; a local attacker
+        # could pre-create it to influence mirror selection.
+        echo "mirror probe: mktemp failed" >&2
+        echo "github"
+        return 0
+    fi
     register_temp_dir "${tmpdir}"
 
     (probe_url_available "${oss_url}" "${timeout}" && : > "${tmpdir}/aliyun") &