chore: replace curl/jq with gh CLI for release resolution and downloads

[yordis]

Replaces the raw `curl | jq` approach with the `gh` CLI which is pre-installed on all GitHub-hosted runners and handles auth, retries, rate limiting, and pagination natively.

Changes:

• `gh release list` replaces the `curl` + `jq` pipeline for version resolution — no more manual `Authorization` headers, `per_page`, or response type validation
• `gh release download` replaces `curl` for tarball fetching — downloads directly to disk before hashing instead of piping through `sha256sum`
• Removes manual `--retry` flags, `Accept` headers, and API array validation since `gh` handles all of that internally

Closes the 504 flakiness on `otel-collector` that was caused by GitHub API timeouts on large external repos.

[cursor]

PR Summary

Medium Risk
Changes the release/tag discovery and artifact download path used to generate formula updates; failures would mainly break automated bumps rather than runtime behavior, but could cause missed/incorrect version or checksum updates if gh queries/pattern matching differs from the prior API approach.

Overview
The Autobump Formulas workflow now uses the GitHub CLI (gh) instead of curl/jq to resolve the latest upstream release version, with GH_TOKEN set at the job level for authentication.

Checksum generation is refactored to gh release download assets to a temp directory and hash them from disk (with updated error handling/cleanup), and the formula-update Python script tightens URL-matching regexes via re.escape to handle arch strings more safely.

^{Written by Cursor Bugbot for commit 8cd5e2e. This will update automatically on new commits. Configure here.}

[coderabbitai]

Warning

Rate limit exceeded

@yordis has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 5 minutes and 21 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: CHILL

Plan: Pro

Run ID: 61621ff3-640b-4e74-b413-5fe4b93dcccd

📥 Commits

Reviewing files that changed from the base of the PR and between 224d068 and 8cd5e2e.

📒 Files selected for processing (1)

• .github/workflows/autobump.yml

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch refactor-use-gh-cli

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[cursor]

Cursor Bugbot has reviewed your changes and found 1 potential issue.

[cursor]

Unsafe direct interpolation of tag_prefix into jq expression

Low Severity

The ${{ matrix.tag_prefix }} value is directly interpolated into the --jq expression string (inside double quotes in the jq filter). The old code safely passed the prefix via jq --arg prefix, which properly escapes special characters. The gh --jq flag does not support --arg, so if a tag_prefix ever contains characters meaningful to jq (like " or \), the jq expression would be malformed and the step would fail silently or produce incorrect results. Current matrix values are safe, but this is a robustness regression from the prior approach.