fix(ci): add set -euo pipefail to check-pinned-deps workflow

[Copilot]

Addresses feedback on PR #6885 to add bash strict mode to the dependency update workflow.

Changes

• Added set -euo pipefail to both shell script blocks in .github/workflows/check-pinned-deps.yml
  • "Check for update" step: exits on command failure, treats unset variables as errors, fails on pipeline errors
  • "Update pinned version" step: same protections for sed operations

The workflow already validates empty CURRENT and LATEST values explicitly. This adds fail-fast behavior for edge cases like API failures, network issues, or command errors that bypass explicit checks.

- name: Check for update
  id: check
  run: |
    set -euo pipefail  # Added
    CURRENT=$(grep -oP '${{ matrix.dep.pattern }}' '${{ matrix.dep.file }}')
    if [ -z "$CURRENT" ]; then
      echo "Failed to determine current version..." >&2
      exit 1
    fi
    # ... rest of script

---

🔒 GitHub Advanced Security automatically protects Copilot coding agent pull requests. You can protect all pull requests by enabling Advanced Security for your repositories. Learn more about Advanced Security.

[jstirnaman]

Superseded by commit 86702b4 on #6885 which applies this fix along with all other review findings.