fix(release:PLA-1355): harden version tag input

[0x666c6f]

Summary

• Harden release workflow_dispatch version_tag handling against template injection.

Changes

• Add strict Bash semver validation through an env passthrough before release prep runs.
• Replace raw version_tag interpolation inside run scripts with validated env/output values.
• Quote existing workflow output writes flagged by actionlint.

Linear

• PLA-1355: https://linear.app/morpho-labs/issue/PLA-1355/erpc-harden-release-workflow-against-version-tag-template

[linear]

PLA-1355 erpc: harden release workflow against version_tag template injection

[chatgpt-codex-connector]

💡 Codex Review

Here are some automated review suggestions for this pull request.

Reviewed commit: 5459191362

ℹ️ About Codex in GitHub

Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you

• Open a pull request for review
• Mark a draft as ready
• Comment "@codex review".

If Codex has suggestions, it will comment; otherwise it will react with 👍.

Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".

[Copilot]

Pull request overview

This PR hardens the GitHub Actions release workflow’s workflow_dispatch version_tag handling to prevent template injection and reduce unsafe interpolation in shell steps.

Changes:

• Added a Bash validation step for version_tag and routed the validated value through step/job outputs.
• Replaced direct ${{ github.event.inputs.version_tag }} interpolation in run: scripts with environment variables populated from the validated output.
• Quoted $GITHUB_OUTPUT writes and grouped multiple output writes to satisfy actionlint-style safety checks.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.