diff --git a/.github/workflows/security.yml b/.github/workflows/security.yml
index 91e08f8..e0f0ad6 100644
--- a/.github/workflows/security.yml
+++ b/.github/workflows/security.yml
@@ -17,10 +17,8 @@ jobs:
       image: semgrep/semgrep
     steps:
       - uses: actions/checkout@v4
-      # Report ERROR-severity findings in the log without failing the build.
-      # (Drop `--error` to keep semgrep from exiting non-zero on findings.)
       - run: |
-          semgrep scan --severity ERROR \
+          semgrep scan --error --severity ERROR \
             --config p/javascript \
             --config p/typescript \
             --config p/owasp-top-ten \
diff --git a/.github/workflows/submit-packages.yml b/.github/workflows/submit-packages.yml
index 8700547..d54310f 100644
--- a/.github/workflows/submit-packages.yml
+++ b/.github/workflows/submit-packages.yml
@@ -137,12 +137,14 @@ jobs:
 
       - name: Summary
         if: always()
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
         run: |
           echo "## Package Submission Summary (Linux)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
           echo "- **Package Managers**: ${{ steps.pms.outputs.package_managers }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Dry Run**: ${{ github.event.inputs.dry_run || 'false' }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Dry Run**: $DRY_RUN" >> $GITHUB_STEP_SUMMARY
 
   # Windows job for Chocolatey
   submit-chocolatey:
@@ -172,11 +174,14 @@ jobs:
       - name: Determine version
         id: version
         shell: bash
+        env:
+          INPUT_VERSION: ${{ github.event.inputs.version }}
+          RELEASE_TAG: ${{ github.event.release.tag_name }}
         run: |
-          if [ -n "${{ github.event.inputs.version }}" ]; then
-            VERSION="${{ github.event.inputs.version }}"
-          elif [ -n "${{ github.event.release.tag_name }}" ]; then
-            VERSION="${{ github.event.release.tag_name }}"
+          if [ -n "$INPUT_VERSION" ]; then
+            VERSION="$INPUT_VERSION"
+          elif [ -n "$RELEASE_TAG" ]; then
+            VERSION="$RELEASE_TAG"
           else
             VERSION=$(git describe --tags --abbrev=0 2>/dev/null || echo "")
           fi
@@ -201,9 +206,10 @@ jobs:
       - name: Submit to Chocolatey
         if: steps.check-key.outputs.has_key == 'true'
         shell: bash
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run }}
         run: |
           VERSION="${{ steps.version.outputs.version }}"
-          DRY_RUN="${{ github.event.inputs.dry_run }}"
 
           ARGS="-v $VERSION -p chocolatey"
 
@@ -220,8 +226,10 @@ jobs:
       - name: Summary
         if: always()
         shell: bash
+        env:
+          DRY_RUN: ${{ github.event.inputs.dry_run || 'false' }}
         run: |
           echo "## Package Submission Summary (Chocolatey)" >> $GITHUB_STEP_SUMMARY
           echo "" >> $GITHUB_STEP_SUMMARY
           echo "- **Version**: ${{ steps.version.outputs.version }}" >> $GITHUB_STEP_SUMMARY
-          echo "- **Dry Run**: ${{ github.event.inputs.dry_run || 'false' }}" >> $GITHUB_STEP_SUMMARY
+          echo "- **Dry Run**: $DRY_RUN" >> $GITHUB_STEP_SUMMARY