Add semver format guard for VERSION in monorepo-release workflow

[Copilot]

Summary

VERSION extracted from pyproject.toml via grep | sed was written to GITHUB_OUTPUT without validation, allowing a malformed version (newlines, special chars, flag-like strings) to propagate into downstream git tag and gh release create commands.

Adds a regex guard immediately after extraction, before any output is written:

VERSION=$(grep -m1 '^version' pyproject.toml \
  | sed 's/version *= *"\(.*\)"/\1/')
if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([-+][a-zA-Z0-9._-]+)?$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"

Fails fast with a clear ::error:: annotation if the version does not match MAJOR.MINOR.PATCH[-+prerelease].

Testing

• Not run (why?)
• uv run poe check
• Other: CodeQL scan — 0 alerts; guard logic verified manually against valid and malformed version strings

Checklist

• Linked issue or task reference
• Added/updated tests where relevant
• Updated docs/README if needed
• No secrets or sensitive data added
• Considered backward compatibility and deployment impact

Additional context

Original prompt

---

This section details on the original issue you should resolve

<issue_title>Add semver format guard for VERSION in monorepo-release workflow</issue_title>
<issue_description>## Summary

The VERSION and TAG values extracted from pyproject.toml in the monorepo release workflow are written to GITHUB_OUTPUT without a post-extraction format check. A malformed version value (containing newlines, special characters, or flag-like strings) could propagate into downstream git tag and gh release create commands.

File & Location

• File: .github/workflows/monorepo-release.yml
• Line: 42

Original Review Comment

Category: Input Validation and Sanitization (Category 1)
Severity: Low / Informational

The VERSION and TAG values are extracted from pyproject.toml via grep | sed and written directly to GITHUB_OUTPUT without a post-extraction format check:

VERSION=$(grep -m1 '^version' pyproject.toml \
  | sed 's/version *= *"\(.*\)"/\1/')
echo "version=${VERSION}" >> "$GITHUB_OUTPUT"
echo "tag=v${VERSION}" >> "$GITHUB_OUTPUT"

If pyproject.toml is tampered with (e.g., via a supply-chain attack on the monorepo itself), a malformed VERSION value (containing newlines, special characters, or git flag-like strings) could propagate into GITHUB_OUTPUT and into downstream git tag -a "$TAG" and gh release create "$TAG" commands. These commands do properly quote $TAG, which limits the immediate risk; nonetheless a semver guard is inexpensive.

Recommendation: Add a format guard before writing to GITHUB_OUTPUT:

if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([-+][a-zA-Z0-9._-]+)?$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

Proposed Fix

Add a semver regex validation step immediately after extracting VERSION and before writing to GITHUB_OUTPUT:

if [[ ! "$VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+([-+][a-zA-Z0-9._-]+)?$ ]]; then
  echo "::error::Unexpected version format: '${VERSION}'" >&2
  exit 1
fi

---

Related PR: #51
Review comment: #51 (comment)

Generated by PR Review Comment — Create Issue for issue #51

Comments on the Issue (you are @copilot in this section)

• Fixes Add semver format guard for VERSION in monorepo-release workflow #65

---

✨ Let Copilot coding agent set things up for you — coding agent works faster and does higher quality work when set up for your repo.