transformers

fbd11e85 - fix(ci): remove template injection on pull_request_target workflows (#45956)

fix(ci): remove template injection on pull_request_target workflows (#45956) fix(ci): remove template injection across workflows Replace every `error[template-injection]` finding flagged by zizmor with the env-var pattern so PR-author/matrix/input-derived values cannot be expanded into shell or `actions/github-script` JS source by GitHub Actions templating. Files touched: - pr_slow_ci_suggestion.yml (`pull_request_target`): heredoc that interpolated `PR_FILES` and JS bodies that interpolated `PR_HEAD_REPO_OWNER/NAME/SHA`/`PR_NUMBER` now use `env:` + `process.env`. - pr-repo-consistency-bot.yml (`issue_comment`): quoted all `${PR_HEAD_REF}`/`${PR_HEAD_SHA}`/`${PR_HEAD_REPO_FULL_NAME}` shell expansions; the final `Comment on PR` step also moved to `env:`. - trl-ci-bot.yml (`issue_comment`): `github.event.issue.pull_request.url` via env. - get-pr-info.yml, check_failed_tests.yml: `inputs.pr_number` and `inputs.commit_sha` passed via env, used as JS locals. - collated-reports.yml: machine_type/job/report_repo_id/gpu_name via env and quoted in the python invocation. - model_jobs_intel_gaudi.yml: inputs.folder_slices / machine_type / report_name_prefix and matrix.folders via env; report-directory name built once and reused. - self-scheduled-flash-attn-caller.yml: prev/other_workflow_run_id via env before being written to disk. - self-scheduled-intel-gaudi.yml: inputs.job via env; NUM_SLICES via env inside `python3 -c`. Zizmor 1.24.1: 22 `error[template-injection]` -> 0. `node --check` and `bash -n` pass on every `run:` / `script:` block touched. Behavior preserved: same values reach the same code paths, only the wiring changed (templating -> env vars).