fix: pin 0 actions to commit SHA, extract 3 expressions to env vars

[dagecko]

Re-submission of #34118. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from run: blocks into env: mappings.

• Pin 0 unpinned actions to full 40-character SHAs
• Add version comments for readability
• Extract 3 expressions from run blocks to env vars

Changes by file

File	Changes
translate-i18n-claude.yml	Pinned actions to SHA

A note on internal action pinning

This PR pins all actions including org-owned ones. Best practice is to pin everything — the tj-actions/changed-files attack was an internally maintained action that was compromised, and every repo referencing it by tag silently executed attacker code. That said, it's your codebase. If you'd prefer to leave org-owned actions unpinned, let us know and we'll adjust the PR.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• Expression extraction: ${{ expr }} in run: moves to env: block, referenced as $ENV_VAR in the script
• No workflow logic, triggers, or permissions are modified

I wrote a scanner called Runner Guard and open sourced it here.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)