fix(ci): repoint container pins to post-#195 overlay digests

[cbeaulieu-gt]

Summary

Closes #194 (PR-B of a two-PR sequence; PR-A was #195, merged as ff5aa34).

PR #195 rebuilt the runtime base image with unzip and gh baked in. The post-merge runtime-build run (id 25398539323) produced new overlay digests. This PR repoints the 5 container-pinned reusable workflows and the claude-tag-respond.yml dispatch mapping to those new digests.

The underlying overlay set, layer model, and "different eyes" guarantee are unchanged.

Validation target: PR #191 — the review check failure diagnosed in #192 / #194 should clear on its next rebase against this merged change.

Files changed

• .github/workflows/claude-pr-review.yml — review image digest updated
• .github/workflows/claude-tag-respond.yml — review + fix + explain image digests updated (2 lines)
• .github/workflows/claude-apply-fix.yml — fix image digest updated
• .github/workflows/claude-ci-failure.yml — fix image digest updated
• .github/workflows/claude-lint-failure.yml — fix image digest updated
• CLAUDE.md — Phase 5 image refresh note appended to CI Runtime section

Digest replacement table

Image	OLD (Phase 3 / missing unzip+gh)	NEW (post-#195 rebuild)
claude-runtime-review	sha256:776980ed...cdeef1	sha256:e0bb9972...184ca
claude-runtime-fix	sha256:da2b6e52...24a20	sha256:3e8fd1b7...ed24
claude-runtime-explain	sha256:23dd59f2...06ff77	sha256:c3fb56ee...424c

Closes #194

Test plan

• actionlint clean — verified locally (exit 0)
• No old digests remain in .github/workflows/ tree — verified with grep
• 6 total SHA256 pins in workflows — count confirmed
• On merge, the review-overlay PR-init bootstrap clears (next PR opened against this repo will exercise the new image end-to-end)
• PR feat(ci): periodic overlay-image-pull smoke test #191 will be rebased post-merge to validate end-to-end

🤖 Generated by Claude Code on behalf of @cbeaulieu-gt

[cbeaulieu-gt]

Note on the review check failure (same bootstrap as #195)

The review check on this PR will fail for the same bootstrap reason as #195: claude-pr-review.yml uses pull_request_target, which evaluates against main's pinned digest — and main still pins the OLD overlay (@sha256:776980ed...) without unzip/gh. This PR is the very thing that updates the pin; it cannot validate itself.

The real signal is the rest of the matrix:

• ✅ actionlint (verified clean locally + in CI)
• ✅ claude-command-router corpus
• ⚠️ runtime-build matrix is not triggered by this PR because it doesn't touch runtime/** (only workflow files + CLAUDE.md). That's correct — no rebuild needed; the new images are already on GHCR from the post-fix(runtime): add unzip + gh to base image #195 build run 25398539323.

What unblocks after merge:

1. The container pins in main now point at images with unzip + gh baked in.
2. The next PR opened against this repo (including a re-rebase of feat(ci): periodic overlay-image-pull smoke test #191) will exercise the new image and produce real review output again — completing end-to-end validation of the bug: 5 container-pinned workflows missing packages:read; all Claude CI jobs blocked #192 / bug: runtime base image missing unzip + gh; CI still broken after #193 #194 hotfix chain.

🤖 Generated by Claude Code on behalf of @cbeaulieu-gt