CI Security and Style fixes

[BenBE]

Fixes #2032

@coderabbitai : Please suggest further issues in the CI setup now. This PR will contain cleanup of the CI stuff, so let's concentrate CI-related changes instead of sprinkling them all over the place.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: 79772062-2098-4486-815a-142bfb058420

📥 Commits

Reviewing files that changed from the base of the PR and between c67b1e8 and bf9d40f.

📒 Files selected for processing (1)

• .github/workflows/ci.yml

---

📝 Walkthrough

Walkthrough

The CI workflow updates checkout steps to stop persisting credentials across several jobs, replaces deprecated LLVM apt-key repository setup with scoped keyrings in four Ubuntu Clang jobs, changes one unsupported-platform shell substitution to $(uname -m), rewrites BSD and Solaris VM build jobs using vmactions/*-vm, and refreshes lint job wiring.

Assessment against linked issues

Objective	Addressed	Explanation
Replace apt-key/add-apt-repository with signed-by keyrings in all four Clang jobs [#2032]	✅
Replace backtick command substitutions with $() in the workflow [#2032]	❓	The unsupported-platform --host substitution is updated, but the four Clang-job ubuntu_codename=\...`` substitutions are not shown in the provided change summary.

Assessment against linked issues: Out-of-scope changes

Code Change	Explanation
Rewritten BSD and Solaris VM build jobs (.github/workflows/ci.yml, lines 288-416)	The linked issue only requests LLVM apt-key removal and shell-style fixes. These VM job changes are unrelated to those objectives.
Checkout credential persistence changes and lint job wiring updates (.github/workflows/ci.yml, lines 18-19, 74-75, 125-126, 145-146, 250-251, 271-272, 417-433)	These workflow adjustments are not part of the linked issue requirements.

Poem

Old keys depart; new keyrings sing,
Shell syntax leans on calmer wings.
BSDs and Solaris march anew,
While lint and checkout tidy through.
The workflow hums, more crisp than before.

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands.}

[coderabbitai]

Actionable comments posted: 3

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Repository UI

Review profile: ASSERTIVE

Plan: Pro Plus

Run ID: aaa53919-1d3b-4426-859c-9bb82d08de88

📥 Commits

Reviewing files that changed from the base of the PR and between f137d5a and c67b1e8.

📒 Files selected for processing (1)

• .github/workflows/ci.yml