Add release_tag validation guard to update-from-dispatch workflow

[Copilot]

Without validation, a missing or malformed release_tag in the repository_dispatch payload silently produces an invalid branch name (e.g. .x) and allows subsequent git commands to proceed against it.

Changes

• Fail-fast on empty tag — workflow exits immediately with a clear ::error:: message if release_tag is absent or empty
• Semver pattern validation — rejects tags that don't match ^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ before any branch computation occurs

TAG="${{ github.event.client_payload.release_tag }}"
if [[ -z "$TAG" ]]; then
  echo "::error::release_tag is missing or empty in the repository_dispatch payload."
  exit 1
fi
if [[ ! "$TAG" =~ ^v?[0-9]+\.[0-9]+\.[0-9]+(-[a-zA-Z0-9.]+)?$ ]]; then
  echo "::error::release_tag '$TAG' does not match the expected semver pattern (e.g. v1.2.3 or 1.2.3)."
  exit 1
fi

Accepts v18.2.3, 18.2.3, and pre-release variants like v1.0.0-alpha.1. Rejects .x, bare strings, partial versions, and shell-injection attempts.

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.