Fix environment variable injection vulnerability in publish-test-results workflow

Fix code scanning alert for environment variable injection by correcting the tr command to properly sanitize PR_NUMBER. Changed from tr -cd '[0-9]' to tr -cd '0-9' to ensure only digits are allowed, preventing potential injection attacks from user-controlled workflow_run events.

Author: mulana

.github/workflows/publish-test-results.yml

@@ -37,7 +37,7 @@ jobs:
         run: |
           eventjson=`cat 'artifacts/Event File/event.json'`
           prnumber=`echo $(jq -r '.pull_request.number' <<< "$eventjson")`
-          echo "PR_NUMBER=$(echo $prnumber | tr -cd '[0-9]')" >> $GITHUB_ENV
+          echo "PR_NUMBER=$(echo $prnumber | tr -cd '0-9')" >> $GITHUB_ENV
       
       - name: Publish Unit Test Results
         uses: EnricoMi/publish-unit-test-result-action@v2