fix: use env var indirection for inputs.include-hidden-files (CMD_EXEC)

[nbuckwalt]

Security Fix: CMD_EXEC via inputs.include-hidden-files

Summary

`inputs.include-hidden-files` is directly interpolated into the `run:` shell command across all three "Archive artifact" steps (Linux/macOS/Windows variants):
```
${{ inputs.include-hidden-files != 'true' && '--exclude=.[^/]*' || '' }}
```
A caller passing a crafted value could inject arbitrary shell arguments or commands into the `tar` invocation.

Fix

Map the input to an `env:` variable (`INCLUDE_HIDDEN_FILES`) and evaluate the condition in shell using `[ "$INCLUDE_HIDDEN_FILES" != 'true' ]`. Applied to all three platform-specific steps. Behavior is identical.

References

• GitHub Security Lab: Preventing pwn requests
• Rule: CMD_EXEC (CRITICAL)

🤖 Generated with Claude Code

[Copilot]

Pull request overview

Updates the composite GitHub Action to mitigate a GitHub Actions expression injection vector (CMD_EXEC) by removing direct interpolation of inputs.include-hidden-files into shell commands and instead evaluating it via an environment variable in the shell.

Changes:

• Replaced ${{ ... }} expression interpolation in run: with a shell conditional based on INCLUDE_HIDDEN_FILES.
• Added INCLUDE_HIDDEN_FILES to env: for each platform-specific “Archive artifact” step (Linux/macOS/Windows).

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.