fix(workflows): fix shell syntax error and correct action version comments

[LuisUrrutia]

Summary

Fixes a confirmed bash syntax error and corrects misleading action version comments across 6 workflow files.

Changes

• rc.yml:39 - Fix bash bad substitution error: ${#$INPUT_COMMIT_SHA} → ${#INPUT_COMMIT_SHA}. The incorrect syntax causes the validation step to crash with "bad substitution" instead of showing the intended error message when an invalid commit SHA is provided.

• Version comment corrections (verified via GitHub API):

  • scorecard.yml and codeql.yml: # v4.5.4 → # v6.0.1 (tag v4.5.4 does not exist)
  • release-sbom.yml: # main → # v3.0.0 for actions/attest-build-provenance
  • release-docker.yml: Add # v3.6.0 to docker/login-action (was missing)

• Cleanup: Remove debug echo statements from release-please.yml ("pr head branch name: >>>>> ...")

All changes are cosmetic fixes except for the bash syntax error, which is a confirmed bug that will fail on next use.

Summary by CodeRabbit

• Chores

  • Updated continuous integration infrastructure with latest action versions for enhanced security and performance.
  • Streamlined release pipeline by removing unnecessary diagnostic steps.
  • Enhanced deployment configuration with clarifying documentation.

• Bug Fixes

  • Corrected shell parameter expansion in build validation.

[coderabbitai]

Walkthrough

GitHub Actions workflow files updated with action version bumps (checkout to v6.0.1, attest-build-provenance to v3.0.0), a bash parameter expansion bug fix, removal of redundant debug steps, and a documentation comment addition across six workflow files.

Changes

Cohort / File(s)	Summary
Checkout Action Version Bump .github/workflows/codeql.yml, .github/workflows/scorecard.yml	Updated actions/checkout from v4.5.4 to v6.0.1.
Action Version Updates .github/workflows/release-sbom.yml	Updated attest-build-provenance action reference from main to v3.0.0.
Bug Fixes & Cleanup .github/workflows/rc.yml	Fixed bash parameter expansion syntax in the Validate Commit SHA step: corrected ${#$INPUT_COMMIT_SHA} to ${#INPUT_COMMIT_SHA}.
Step Removal .github/workflows/release-please.yml	Removed three identical "Get PR details" debug steps from release-please, update-cargo-lockfile, and update-openapi-spec-file jobs.
Documentation .github/workflows/release-docker.yml	Added inline comment to docker/login-action usage step; no functional change.

Estimated code review effort

🎯 1 (Trivial) | ⏱️ ~5 minutes

Poem

🐰 Our workflows hop with pride so bright,
With actions bumped to v6 in sight,
A bash fix here, old steps now gone,
CI/CD runs from dusk till dawn! ✨

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title clearly and specifically describes the main changes: fixing a shell syntax error and correcting action version comments across workflow files.
Description check	✅ Passed	The description includes a comprehensive summary and detailed changes, but does not include the Testing Process and Checklist sections from the template.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch gh-workflow-update

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}