ci(deps): bump ops-routines-workflows from v0.6.1 to v0.6.2

[justin-layerv]

Why

Bumps the ops-routines-workflows age-check reusables from v0.6.1 to v0.6.2.

v0.6.2 fixes a gap in the v0.6.0 sticky-comment feature: previously only "too new" pins surfaced as a PR comment. Transient upstream failures (gh api / docker registry / proxy / pypi / npmjs unreachable) left PRs with a red required check and no PR-level explanation. v0.6.2 renders unverifiable failures as a sticky comment too, with re-run guidance instead of an eligible-after date.

Hardening folded in alongside:

• record_unverifiable strips \t\n| from reason so callers forwarding upstream error text can't break the markdown table layout.
• Same pin landing as both kinds (transient mid-run flake across two changed files) is deduped.
• awk failure under set -euo pipefail no longer silently suppresses the comment.

Upstream: https://github.com/layervai/ops-routines-workflows/releases/tag/v0.6.2

Test plan

• CI green on this PR.

[claude]

Review

Verdict: LGTM. Clean, minimal SHA bump with a thorough PR description.

What's good

• SHA-pinned with a version comment (@ca41c7123c507ad45331a723851da6c010541154 # v0.6.2) — correct pattern for third-party reusable workflows; you get reproducibility and a human-readable version. Don't lose this convention.
• Both workflow files bumped together (dependency-age-check-actions.yml and dependency-age-check-pip.yml), keeping the two age-check entrypoints in lockstep — easy to forget one of these in a hand bump, but it's correct here.
• PR description explains why, not just what — calls out the specific v0.6.0 sticky-comment gap that v0.6.2 closes (unverifiable failures now surface as a PR comment), plus the three hardening items folded in. Links to the upstream release. This is the standard to keep for future bumps.
• No callsite contract change. The with: inputs (min_age_days, sticky-comment toggles) are unchanged, so the upgrade is behavior-additive only — no risk of breaking these required checks.

Worth verifying before merge

1. Confirm the pinned SHA matches the v0.6.2 tag upstream. Quick check:

   gh api repos/layervai/ops-routines-workflows/git/refs/tags/v0.6.2 --jq .object.sha

   Should return ca41c7123c507ad45331a723851da6c010541154. (Couldn't verify this from the review environment.) If the tag was force-moved after pinning, the comment lies — worth a 5-second sanity check.
2. CI green on this PR — per your own test plan checkbox. Since this PR only touches the two age-check workflows and those workflows run on PRs, this PR itself exercises the new pin. If they pass here, you've got end-to-end verification before merge.

Nits (non-blocking)

• None worth fixing. The diff is as small as it can be.

Out of scope / FYI

• No src/ or tests/ impact, so ruff / mypy / pytest coverage isn't relevant here. Security posture is unchanged (still SHA-pinned, still least-privileged inputs).
• If you want to automate future bumps of ops-routines-workflows, Dependabot can be configured to update GitHub Actions pins and preserve the # v0.x.y comment — but doing this by hand with a description this good is also fine.