Add semver format guard for VERSION in monorepo-release workflow

[github-actions]

Summary

The VERSION and TAG values extracted from pyproject.toml in the monorepo release workflow are written to GITHUB_OUTPUT without a post-extraction format check. A malformed version value (containing newlines, special characters, or flag-like strings) could propagate into downstream git tag and gh release create commands.

File & Location

• File: .github/workflows/monorepo-release.yml
• Line: 42

Original Review Comment

Category: Input Validation and Sanitization (Category 1)
Severity: Low / Informational

The VERSION and TAG values are extracted from pyproject.toml via grep | sed and written directly to GITHUB_OUTPUT without a post-extraction format check:

VERSION=$(grep -m1 '^version' pyproject.toml \
  | sed 's/version *= *"\(.*\)"/\1/')
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"

If pyproject.toml is tampered with (e.g., via a supply-chain attack on the monorepo itself), a malformed VERSION value (containing newlines, special characters, or git flag-like strings) could propagate into GITHUB_OUTPUT and into downstream git tag -a "$TAG" and gh release create "$TAG" commands. These commands do properly quote $TAG, which limits the immediate risk; nonetheless a semver guard is inexpensive.

Recommendation: Add a format guard before writing to GITHUB_OUTPUT:

if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([-+][a-zA-Z0-9._-]+)?$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

Proposed Fix

Add a semver regex validation step immediately after extracting VERSION and before writing to GITHUB_OUTPUT:

if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([-+][a-zA-Z0-9._-]+)?$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

---

Related PR: #51
Review comment: #51 (comment)

Generated by PR Review Comment — Create Issue for issue #51