Fix script injection risk by passing inputs via env vars

[illera88]

Summary

• Moves ${{ inputs.* }} interpolation from the run: script body into the env: block, referencing values as shell variables instead.
• This prevents potential script injection via crafted input values — environment variables are assigned before the shell interprets the script, so values can never break out of their string context.
• Also eliminates the heredoc complexity, improving readability.

Problem

The current action.yml interpolates inputs directly into the bash script body using ${{ inputs.* }} inside heredocs. If an attacker controls any input value (e.g. through a dynamically constructed allowed-failures sourced from untrusted data), they could inject arbitrary shell commands by crafting a value that breaks out of the heredoc delimiter.

Solution

Pass inputs through the env: block instead:

env:
  INPUT_ALLOWED_FAILURES: ${{ inputs.allowed-failures }}
  INPUT_ALLOWED_SKIPS: ${{ inputs.allowed-skips }}
  INPUT_JOBS: ${{ inputs.jobs }}
run: |
  python -m normalize_needed_jobs_status \
    "$INPUT_ALLOWED_FAILURES" \
    "$INPUT_ALLOWED_SKIPS" \
    "$INPUT_JOBS"

This is the recommended pattern per GitHub's security hardening docs.

[illera88]

The pre-commit action fails for something unrelated to my PR

[webknjaz]

Oh, interesting. This is similar to what I was going to do but a little simpler. It won't be releasable immediately, though.
In the future, though, please submit draft advisories instead of going public right away.

[illera88]

The CI is failing. Can you fix that please?

[webknjaz]

Alright.. I'm merging this as is but will have to do some maintenance before I can tag it as a stable release.