fix(workflow): prevent shell injection in grace_period_minutes input

inputs.grace_period_minutes is a free-text string that was previously
interpolated directly into the shell script body, allowing a crafted
value (e.g. "1 $(malicious)") to execute arbitrary commands.

Fix:
- Assign the input to GRACE_PERIOD_INPUT env var so it never reaches
  the script body as a template expression.
- Validate with ^[0-9]+$ before use; emit a ::warning:: and skip the
  flag if the value is non-numeric.
- Build the argument as a bash array (GRACE_ARGS) so the flag name and
  value are always passed as two separate quoted tokens, eliminating
  word-splitting and command-substitution risks.

Signed-off-by: SachinduNethmin <108050026+Sachindu-Nethmin@users.noreply.github.com>

Author: Sachindu-Nethmin

.github/workflows/auto-close.yml

@@ -53,20 +53,25 @@ jobs:
       - name: Run auto-close
         env:
           GITHUB_TOKEN: ${{ github.token }}
+          GRACE_PERIOD_INPUT: ${{ inputs.grace_period_minutes }}
         run: |
           DRY_RUN_FLAG=""
           if [ "${{ inputs.dry_run }}" = "true" ]; then
             DRY_RUN_FLAG="--dry-run"
           fi
 
-          GRACE_FLAG=""
-          if [ -n "${{ inputs.grace_period_minutes }}" ]; then
-            GRACE_FLAG="--grace-period-minutes ${{ inputs.grace_period_minutes }}"
+          GRACE_ARGS=()
+          if [[ -n "$GRACE_PERIOD_INPUT" ]]; then
+            if [[ "$GRACE_PERIOD_INPUT" =~ ^[0-9]+$ ]]; then
+              GRACE_ARGS=("--grace-period-minutes" "$GRACE_PERIOD_INPUT")
+            else
+              echo "::warning::grace_period_minutes must be a positive integer; ignoring value '$GRACE_PERIOD_INPUT'"
+            fi
           fi
 
           ./simili-cli auto-close \
             --repo "${{ github.repository }}" \
             --config .github/simili.yaml \
             --verbose \
             $DRY_RUN_FLAG \
-            $GRACE_FLAG
+            "${GRACE_ARGS[@]}"