fix: replace SHA in comment example with @VERSION placeholder

[derekmisler]

Problem

The release workflow (release.yml) was failing at the "Create release commit with pinned refs" step.

Line 15 of .github/workflows/review-pr.yml is a YAML comment that serves as a documentation example:

#       uses: docker/cagent-action/.github/workflows/review-pr.yml@dba0ca51938c78afb363625363c50582243218d6 # v1.3.1

Although the sed replacement is comment-aware (anchored on uses:) and correctly skips this line, the verification grep (OLD_PIN_PATTERN) is not — it matched the SHA in the comment and reported it as a stale ref, causing the step to exit with an error.

Fix

Replace the real SHA in the comment with a plain @VERSION placeholder. This is a documentation example; it does not need a real SHA.

#       uses: docker/cagent-action/.github/workflows/review-pr.yml@VERSION

Why this works:

• @VERSION contains no 40-character hex string, so it never matches @[a-f0-9]{40}
• Neither the update-self-refs sed nor the verification grep will ever touch it again
• The change is strictly minimal — one comment line, nothing else

Testing

After this merge, a release workflow run will find exactly the three real uses: lines (lines 231, 353, 696) and successfully pin + verify them without hitting the false-positive on line 15.

[docker-agent]

Assessment: 🟢 APPROVE

This PR fixes a false-positive in the release workflow verification by replacing a real SHA in a documentation comment with a @VERSION placeholder.

Analysis:

• The change is in a YAML comment (line 15) that serves as a usage example
• The actual workflow code continues to use properly pinned SHA references
• No functional code is modified
• The @VERSION placeholder prevents the verification grep from matching this comment line

Verdict: No bugs detected. This is a safe documentation-only change that resolves the release workflow issue.