ci: fix RCE vulnerability in file overwrite

vuejs/core#10985

Special thanks to @redyetidev

Author: sxzz

.github/workflows/size-report.yml

@@ -40,12 +40,13 @@ jobs:
         with:
           name: pr-number
           run_id: ${{ github.event.workflow_run.id }}
+          path: /tmp/pr-number
 
       - name: Read PR Number
         id: pr-number
         uses: juliangruber/read-file-action@v1
         with:
-          path: ./pr.txt
+          path: /tmp/pr-number/pr.txt
 
       - name: Download Size Data
         uses: dawidd6/action-download-artifact@v3