fix(penpal): use env vars to avoid shell injection in release workflow

Pass version and tag name through env: instead of interpolating
${{ }} expressions directly in run: blocks. Fixes GitHub Advanced
Security shell injection warnings.

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: loganj

.github/workflows/penpal-release.yml

@@ -28,6 +28,17 @@ jobs:
     steps:
       - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
 
+      # Validate that the git tag version matches Cargo.toml to prevent
+      # mismatched artifact names vs Homebrew URLs (see package.sh line 9).
+      - name: Validate tag matches Cargo.toml version
+        run: |
+          TAG_VERSION="${GITHUB_REF#refs/tags/penpal/v}"
+          CARGO_VERSION=$(grep '^version' apps/penpal/frontend/src-tauri/Cargo.toml | head -1 | sed 's/version = "//;s/"//')
+          if [ "$TAG_VERSION" != "$CARGO_VERSION" ]; then
+            echo "::error::Tag version ($TAG_VERSION) does not match Cargo.toml version ($CARGO_VERSION)"
+            exit 1
+          fi
+
       # Install hermit (manages node, rust, just, go)
       - uses: cashapp/activate-hermit@e49f5cb4dd64ff0b0b659d1d8df499595451155a # v1
 
@@ -98,25 +109,31 @@ jobs:
           path: artifacts
           merge-multiple: true
 
-      # Extract version from tag
+      # Extract version from tag and validate semver format
       - name: Extract version
         id: version
         run: |
           TAG="${GITHUB_REF#refs/tags/penpal/v}"
+          if [[ ! "$TAG" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
+            echo "::error::Tag version '$TAG' does not match semver format"
+            exit 1
+          fi
           echo "version=$TAG" >> "$GITHUB_OUTPUT"
 
       # Create GitHub Release with both zips
       - name: Create GitHub Release
         env:
           GH_TOKEN: ${{ github.token }}
+          VERSION: ${{ steps.version.outputs.version }}
+          TAG_NAME: penpal/v${{ steps.version.outputs.version }}
         run: |
           PREV_TAG=$(git describe --tags --match 'penpal/v*' --abbrev=0 HEAD^ 2>/dev/null || echo "")
           NOTES_ARGS="--generate-notes"
           if [ -n "$PREV_TAG" ]; then
             NOTES_ARGS="$NOTES_ARGS --notes-start-tag $PREV_TAG"
           fi
-          gh release create "${{ github.ref_name }}" \
-            --title "Penpal v${{ steps.version.outputs.version }}" \
+          gh release create "$TAG_NAME" \
+            --title "Penpal v${VERSION}" \
             $NOTES_ARGS \
             artifacts/*.zip
 
@@ -126,8 +143,8 @@ jobs:
       - name: Trigger Homebrew cask bump
         env:
           GH_TOKEN: ${{ github.token }}
+          VERSION: ${{ steps.version.outputs.version }}
         run: |
-          VERSION="${{ steps.version.outputs.version }}"
           BASE_URL="https://github.com/block/builderbot/releases/download/penpal/v${VERSION}"
           gh workflow run bump-cask.yaml \
             -R block/homebrew-tap \