ci(release): fix bump-develop-version.yml duplicate Authorization header (#2771)

`actions/checkout@v6` defaults to `persist-credentials: true`, which
writes `http.https://github.com/.extraheader = AUTHORIZATION: basic <GITHUB_TOKEN>`
to the local `.git/config`. `peter-evans/create-pull-request@v6` then
sets its own `extraheader` for the dispatch token, and the next git
operation sends both Authorization headers — GitHub returns HTTP 400
with `remote: Duplicate header: "Authorization"`.

First observed on the v4.0.1 GA (2026-05-20, run 26173817714); manual
workaround was #2770. Setting `persist-credentials: false` keeps
peter-evans/create-pull-request as the sole Authorization authority.

This is a documented peter-evans/create-pull-request gotcha when the
caller uses a non-default token.

Signed-off-by: Peter Amiri <peter@alurium.com>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: bpamiri

.github/workflows/bump-develop-version.yml

@@ -61,6 +61,11 @@ jobs:
         with:
           ref: develop
           fetch-depth: 1
+          # Don't persist GITHUB_TOKEN as a git extraheader — peter-evans/create-pull-request
+          # below sets its own Authorization, and two simultaneous extraheaders make GitHub
+          # reject git operations with "Duplicate header: Authorization" → HTTP 400.
+          # First hit on the v4.0.1 GA (run 26173817714); manual workaround was #2770.
+          persist-credentials: false
 
       - name: Compute next snapshot target
         run: |