fix(api): reject malformed workflow requests

pkg/api/provider.go

@@ -6,6 +6,8 @@
 package api
 
 import (
+	"errors"
+	stdio "io"
 	"io/fs"
 	"net/http"
 
@@ -545,7 +547,11 @@ func (p *BuildProvider) generateReleaseWorkflow(c *gin.Context) {
 
 	var req releaseWorkflowRequest
 	if err := c.ShouldBindJSON(&req); err != nil {
-		req.Path = ""
+		// Empty bodies are valid; malformed JSON is not.
+		if !errors.Is(err, stdio.EOF) {
+			c.JSON(http.StatusBadRequest, api.Fail("invalid_request", err.Error()))
+			return
+		}
 	}
 
 	path := req.Path

pkg/api/provider_test.go

@@ -257,6 +257,28 @@ func TestProvider_GenerateReleaseWorkflow_OutputAlias_Good(t *testing.T) {
 	assert.Contains(t, content, "workflow_dispatch:")
 }
 
+func TestProvider_GenerateReleaseWorkflow_InvalidJSON_Bad(t *testing.T) {
+	gin.SetMode(gin.TestMode)
+
+	projectDir := t.TempDir()
+	p := NewProvider(projectDir, nil)
+
+	recorder := httptest.NewRecorder()
+	request := httptest.NewRequest(http.MethodPost, "/release/workflow", bytes.NewBufferString(`{"path":`))
+	request.Header.Set("Content-Type", "application/json")
+
+	ctx, _ := gin.CreateTestContext(recorder)
+	ctx.Request = request
+
+	p.generateReleaseWorkflow(ctx)
+
+	assert.Equal(t, http.StatusBadRequest, recorder.Code)
+
+	path := build.ReleaseWorkflowPath(projectDir)
+	_, err := io.Local.Read(path)
+	assert.Error(t, err)
+}
+
 func TestProvider_DiscoverProject_Good(t *testing.T) {
 	gin.SetMode(gin.TestMode)