Potential fix for code scanning alert no. 349: Artifact poisoning

Co-authored-by: Copilot Autofix powered by AI <62310815+github-advanced-security[bot]@users.noreply.github.com>
Signed-off-by: Dargon789 <64915515+Dargon789@users.noreply.github.com>

Author: Dargon789

.github/workflows/npm.yml

@@ -292,7 +292,20 @@ jobs:
           NPM_TOKEN: ${{ secrets.NPM_TOKEN }}
           NODE_AUTH_TOKEN: ${{ secrets.NPM_TOKEN }}
           NPM_REGISTRY_URL: ${{ env.NPM_REGISTRY_URL }}
-        run: bun run build
+        run: |
+          set -euo pipefail
+          bun run build
+
+          # Validate RELEASE_VERSION before exporting it. Only allow semantic-version-like strings,
+          # e.g. 1.2.3 or 1.2.3-beta.1. Reject anything else to avoid artifact poisoning.
+          if [[ -z "${RELEASE_VERSION:-}" ]]; then
+            echo "RELEASE_VERSION is empty or unset; refusing to export." >&2
+            exit 1
+          fi
+          if ! [[ "$RELEASE_VERSION" =~ ^[0-9]+\.[0-9]+\.[0-9]+(-[0-9A-Za-z.-]+)?$ ]]; then
+            echo "RELEASE_VERSION '$RELEASE_VERSION' has an invalid format; refusing to export." >&2
+            exit 1
+          fi
 
           printf 'RELEASE_VERSION=%s\n' "$RELEASE_VERSION" >>"$GITHUB_OUTPUT"