ci: fix script injection in outcome job

[persimmon16]

Summary

Remediates a GitHub Actions script injection vulnerability (CWE-78) in the CI workflow's outcome job, identified by Wiz as issue 16f1da6f-ae19-4da7-9122-1f3e33ba5e10 (HIGH severity).

The toJson(needs) expression was interpolated directly into an inline run: script via a single-quoted here-string. Because ${{ }} expressions are evaluated before the shell parser, any single-quote character in a needs output value (e.g., derived from a crafted commit message processed through calculate_matrix) would terminate the quoted string and yield arbitrary shell execution on the runner.

Fix: Move toJson(needs) to an env: block and reference the resulting shell variable. The runner's environment variable API sets the value without shell interpolation, eliminating the injection vector entirely.

Change

- run: jq --exit-status '...' <<< '${{ toJson(needs) }}'
+ env:
+   NEEDS_CONTEXT: ${{ toJson(needs) }}
+ run: jq --exit-status '...' <<< "$NEEDS_CONTEXT"

References

• Wiz Issue: 16f1da6f-ae19-4da7-9122-1f3e33ba5e10
• Wiz Rule: wc-id-3075 — Publicly exposed code repository with workflow script injection
• GitHub Security Lab: Keeping your GitHub Actions and workflows secure

[persimmon16]

Superseded by new PR targeting master to pass verify-channel.sh CI gate.