The actual source of the duplicate Authorization header

PR #1597 removed GH_TOKEN from job-level. Smoke-test still failed with the same error. Why? The conflict was with actions/checkout, not the env var.

What checkout does with persist-credentials: true

[command] git config --local
   http.https://github.com/.extraheader
   "AUTHORIZATION: basic ***"

checkout leaves a persistent git AUTHORIZATION extraheader so subsequent git operations (push, fetch, etc.) work without re-auth. Then peter-evans adds its OWN extraheader. Result: git sends two AUTHORIZATION headers, GitHub returns 400.

Fix

- uses: actions/checkout@de0fac2e...  # v6.0.2
  with:
    fetch-depth: 0
    persist-credentials: false   # ← was true

We don't need persisted git creds:

Step 1 (Snapshot) uses gh CLI, auth via per-step GH_TOKEN env.
Step 7 (Open snapshot PR) is peter-evans/create-pull-request, manages its own auth.
No other step touches git remotes.

Verification

This PR merges.
Manual gh workflow run "Claude Release Watch".
All 10 steps including Open snapshot PR finish ✓ success.
An auto-PR appears with the snapshot data files.