ci: Read build matrix JSON explicitly (#1461)

Because we used require() to read build-matrix.json, the file could be
replaced with build-matrix.json.js, allowing code injection into our CI
pipelines. This fixes this vulnerability by reading the JSON text with
the fs module, then explicitly parsing it, rather than relying on
require().

This also changes the location of the file, to match its location in
other projects.

Note that this workflow is not currently giving any elevated permissions
to users, so it is not currently possible to damage the repo through a
PR. But this might have been possible in the past, due to
organization-wide defaults for token permissions (recently fixed). No
evidence has been found of past exploit.

See also https://github.com/shaka-project/shaka-streamer/issues/216 and
https://github.com/shaka-project/static-ffmpeg-binaries/issues/57

.github/workflows/build.yaml

@@ -52,16 +52,18 @@ jobs:
         id: configure
         shell: node {0}
         run: |
+          const fs = require('fs');
+
           const enableSelfHosted = ${{ inputs.self_hosted }};
+          const buildMatrix = JSON.parse(fs.readFileSync("${{ github.workspace }}/build-matrix.json"));
 
           // Use enableSelfHosted to decide what the build matrix below should
           // include.
-          const {hosted, selfHosted} = require("${{ github.workspace }}/.github/workflows/build-matrix.json");
+          const {hosted, selfHosted} = buildMatrix;
           const include = enableSelfHosted ? hosted.concat(selfHosted) : hosted;
           const os = include.map((config) => config.os);
 
           // Output JSON objects consumed by the build matrix below.
-          const fs = require('fs');
           fs.writeFileSync(process.env.GITHUB_OUTPUT,
               [
                 `INCLUDE=${ JSON.stringify(include) }`,