fix(ci): finish shell-injection removal in submit-packages + re-enable semgrep --error (#11)

Completes #10: the Chocolatey job's Determine version / Submit / Summary
steps and both Linux/Chocolatey Summary steps still interpolated
github.event.inputs.* directly in run: blocks. Move them all into
step-level env: vars referenced as quoted shell variables, and restore
--error on semgrep so findings block CI.

Co-authored-by: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: ralyodio

.github/workflows/security.yml

@@ -17,10 +17,8 @@ jobs:
       image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v4
-      # Report ERROR-severity findings in the log without failing the build.
-      # (Drop `--error` to keep semgrep from exiting non-zero on findings.)
       - run: |
-          semgrep scan --severity ERROR \
+          semgrep scan --error --severity ERROR \
             --config p/javascript \
             --config p/typescript \
             --config p/owasp-top-ten \

.github/workflows/submit-packages.yml

@@ -137,12 +137,14 @@ jobs:
 
       - name: Summary
         if: always()
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
         run: |
           echo "## Package Submission Summary (Linux)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Package Managers**: ${{ steps.pms.outputs.package_managers }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Dry Run**: ${{ github.event.inputs.dry_run || 'false' }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Dry Run**: $DRY_RUN" >> $GITHUB_STEP_SUMMARY
 
   # Windows job for Chocolatey
   submit-chocolatey:
@@ -172,11 +174,14 @@ jobs:
       - name: Determine version
         id: version
         shell: bash
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: |
-          if [ -n "${{ github.event.inputs.version }}" ]; then
-            VERSION="${{ github.event.inputs.version }}"
-          elif [ -n "${{ github.event.release.tag_name }}" ]; then
-            VERSION="${{ github.event.release.tag_name }}"
+          if [ -n "$INPUT_VERSION" ]; then
+            VERSION="$INPUT_VERSION"
+          elif [ -n "$RELEASE_TAG" ]; then
+            VERSION="$RELEASE_TAG"
           else
             VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
           fi
@@ -201,9 +206,10 @@ jobs:
       - name: Submit to Chocolatey
         if: steps.check-key.outputs.has_key == 'true'
         shell: bash
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
-          DRY_RUN="${{ github.event.inputs.dry_run }}"
 
           ARGS="-v $VERSION -p chocolatey"
 
@@ -220,8 +226,10 @@ jobs:
       - name: Summary
         if: always()
         shell: bash
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
         run: |
           echo "## Package Submission Summary (Chocolatey)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Dry Run**: ${{ github.event.inputs.dry_run || 'false' }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Dry Run**: $DRY_RUN" >> $GITHUB_STEP_SUMMARY