diff --git a/.github/workflows/ci.yml b/.github/workflows/ci.yml
index b4b8757..9cc66c5 100644
--- a/.github/workflows/ci.yml
+++ b/.github/workflows/ci.yml
@@ -66,7 +66,11 @@ jobs:
           --collect:"XPlat Code Coverage"
           --results-directory TestResults
 
+      # Skip Codecov on fork PRs: forked pull requests have no access to repository
+      # secrets, so CODECOV_TOKEN is empty there and the upload would fail noisily for
+      # no benefit. Same-repo pushes/PRs upload normally.
       - name: Upload coverage to Codecov
+        if: ${{ github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository }}
         uses: codecov/codecov-action@v7
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
@@ -74,7 +78,7 @@ jobs:
           fail_ci_if_error: false
 
       - name: Upload test results to Codecov
-        if: ${{ !cancelled() }}
+        if: ${{ !cancelled() && (github.event_name != 'pull_request' || github.event.pull_request.head.repo.full_name == github.repository) }}
         uses: codecov/codecov-action@v7
         with:
           token: ${{ secrets.CODECOV_TOKEN }}
diff --git a/.github/workflows/release.yml b/.github/workflows/release.yml
index b618664..457cd9c 100644
--- a/.github/workflows/release.yml
+++ b/.github/workflows/release.yml
@@ -66,8 +66,20 @@ jobs:
       - name: Extract tag version
         id: version
         shell: pwsh
+        env:
+          # Pass the tag through the environment instead of interpolating ${{ }} directly
+          # into the script body — that avoids any script-injection from a crafted manual
+          # dispatch input and keeps the value as plain data.
+          EVENT_NAME: ${{ github.event_name }}
+          INPUT_TAG: ${{ inputs.tag }}
+          REF_NAME: ${{ github.ref_name }}
         run: |
-          $tag = if ("${{ github.event_name }}" -eq "workflow_dispatch") { "${{ inputs.tag }}" } else { "${{ github.ref_name }}" }
+          $tag = if ($env:EVENT_NAME -eq "workflow_dispatch") { $env:INPUT_TAG } else { $env:REF_NAME }
+          # Validate the tag shape (vMAJOR.MINOR.PATCH[...]) before using it anywhere.
+          if ($tag -notmatch '^v[0-9]+\.[0-9]+\.[0-9]+') {
+            Write-Error "Invalid release tag '$tag' — expected a semver tag like v1.2.3."
+            exit 1
+          }
           $version = $tag -replace '^v', ''
           "tag=$tag"          | Out-File -FilePath $env:GITHUB_OUTPUT -Append
           "version=$version"  | Out-File -FilePath $env:GITHUB_OUTPUT -Append