ci(erpc:PLA-1349): harden release workflows

[0x666c6f]

Summary

• Validate release workflow version_tag before use.
• Remove direct shell interpolation of version_tag.
• Default targeted workflows to no permissions and rely on per-job grants.

Changes

• Release preparation now validates semver and passes version through step outputs/env.
• Tygo install is pinned to a fixed module version.
• Claude and Scorecard workflows default to permissions: {}.

Linear

• PLA-1349: https://linear.app/morpho-labs/issue/PLA-1349/ciworkflow-supply-chain-hardening-across-morpho-infra-morpho-infra

[linear]

PLA-1349 CI/Workflow supply-chain hardening across morpho-infra, morpho-infra-helm, hermes-agent-sre, erpc

[Copilot]

Pull request overview

This PR hardens GitHub release-related workflows by reducing default token permissions and validating/passing release versions more safely across steps.

Changes:

• Set workflow-level permissions: {} and rely on per-job permission grants (Scorecard + Claude workflows, and Release workflow).
• Add version_tag validation and avoid direct interpolation by passing the validated value via step outputs/env.
• Pin tygo installation to a fixed version in the release workflow.

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
.github/workflows/scorecards.yml	Drops default workflow token permissions; keeps explicit job-level permissions for Scorecard publishing/upload.
.github/workflows/release.yml	Adds version_tag validation + safer propagation; pins tygo; removes direct interpolation; sets default permissions to none.
.github/workflows/claude.yml	Sets workflow-level permissions to none; relies on job-level permissions already present.
.github/workflows/claude-code-review.yml	Sets workflow-level permissions to none; relies on job-level permissions already present.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.