Fix release workflow tag validation

[homerquan]

Motivation

• Close a release CI vulnerability where a user-supplied workflow_dispatch ref was checked out before validation, allowing a malicious checked-out scripts/validate-version-tag.sh to forge step outputs and enable publishing attacker-controlled artifacts.

Description

• Move tag validation into the workflow itself (before any checkout) and perform inline validation with a semver regex, producing tag_name, version, and is_prerelease outputs.
• Change all actions/checkout usages for release flows to explicitly check out refs/tags/<tag> instead of the original user-supplied ref.
• Record the validated tag commit as tag_commit in the validate job and add verification steps that ensure downstream test, build-otp, and github-release jobs verify both the tag resolution and the checked-out HEAD match the previously validated commit.
• Add explicit per-job verification steps that fail fast if tag resolution or checkout does not match the validated tag commit.

Testing

• Parsed the modified workflow with ruby -e 'require "yaml"; YAML.load_file(".github/workflows/release.yml")' and it parsed successfully.
• Linted the validator script with bash -n scripts/validate-version-tag.sh and it passed syntactic checks.
• Ran git diff --check and there are no whitespace/patch errors.
• mix format --check-formatted and mix test could not be executed in this environment because Hex installation failed when attempting to download metadata (network/Hex access returned HTTP 403).

---

Codex Task