refactor / enable Trakt API keys from environment variables

[vladjerca]

⚠️ Security Notice: Trakt API Application Deactivation

Important: The current Trakt API application (key and secret) will be disabled in 30 days.

• Impact: Versions built with the old API credentials will no longer be able to use Trakt once the application is disabled.
• Action Required (within 2 weeks): Add TRAKT_CLIENT_ID and
  TRAKT_CLIENT_SECRET to Repository Secrets so a new release can be built before the 30-day cutoff.

Overview

This PR secures the Trakt API credentials by moving them from plain text in the
source code to a build-time injection process. Keys are now obfuscated in the
codebase and only injected during the release build via GitHub Actions.

Key Changes

• Security: Replaced hardcoded keys in traktapi.py with placeholders and
  added local XOR obfuscation.
• Local Dev: Added support for TRAKT_CLIENT_ID and TRAKT_CLIENT_SECRET
  environment variables to override injected keys for development.
• CI/CD: Updated .github/workflows/submit.yml to inject secrets from
  repository variables before packaging.

Maintainer Actions

1. Add Secrets: Go to Repo Settings > Secrets and add TRAKT_CLIENT_ID and
   TRAKT_CLIENT_SECRET.
2. Merge: Merge this PR to enable the new secure build process.

[razzeee]

The owners haven't been around for quiet some time so, we can't add stuff to the CI env.

The obfuscation is kinda pointless.

[vladjerca]

The owners haven't been around for quiet some time so, we can't add stuff to the CI env.

My understanding was that you are maintainer here (looking at history).

@razzeee according to Github you should have enough permissions to define these secrets https://docs.github.com/en/actions/how-tos/write-workflows/choose-what-workflows-do/use-secrets#creating-secrets-for-a-repository

The obfuscation is kinda pointless.

My goal is to reduce spread and make it harder than just copy / pasting the raw value from the zip file, hence not pointless.

[vladjerca]

@razzeee from what I see the Trakt for Kodi is owned by razze.

[vladjerca]

I've created a new Trakt for Kodi app and renamed the old one to Trakt for Kody - Legacy (expires 1st March) - Update Required.

@razzeee / @rudf0rd / @rectifyer the Submitter fails https://github.com/trakt/script.trakt/actions/runs/21946607250/job/63385756890

Seems like the xbmc/action-kodi-addon-submitter@v1.3 fails with invalid credentials.

[vladjerca]

@razzeee / @rudf0rd from what I can tell this repository was transferred over from @razzeee the submit action required this fork to function: https://github.com/razzeee/repo-scripts

[razzeee]

See #627 was ignored for at least 3 years

[vladjerca]

@razzeee I suggest you delete your fork and we can transfer repo ownership to you.