Keep OpenCode version selection predictable by reading a single repo-wide constant and packaging that pin into orchestrator builds. Remove env and latest-release fallbacks so desktop, workers, snapshots, and CI stay aligned.
Co-authored-by: Omar McAdam <omar@OpenWork-Studio.localdomain>
The triage-issue job interpolated $ISSUE_TITLE and $ISSUE_BODY unquoted
inside a double-quoted shell string, allowing any GitHub user to execute
arbitrary commands by opening an issue with shell metacharacters.
The duplicate-prs job similarly interpolated $COMMENT unquoted into a
gh pr comment --body argument.
Fix both by using printf with %s (prevents shell interpretation) and
--body-file (avoids inline interpolation entirely).
Co-authored-by: xj <gh-xj@users.noreply.github.com>
