fix: pin 0 actions to commit SHA, extract 3 expressions to env vars

[dagecko]

Re-submission of #34118. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from run: blocks into env: mappings.

• Pin 0 unpinned actions to full 40-character SHAs
• Add version comments for readability
• Extract 3 expressions from run blocks to env vars

Changes by file

File	Changes
translate-i18n-claude.yml	Pinned actions to SHA

A note on internal action pinning

This PR pins all actions including org-owned ones. Best practice is to pin everything — the tj-actions/changed-files attack was an internally maintained action that was compromised, and every repo referencing it by tag silently executed attacker code. That said, it's your codebase. If you'd prefer to leave org-owned actions unpinned, let us know and we'll adjust the PR.

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• Expression extraction: ${{ expr }} in run: moves to env: block, referenced as $ENV_VAR in the script
• No workflow logic, triggers, or permissions are modified

I wrote a scanner called Runner Guard and open sourced it here.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)

[crazywoola]

LGTM, please resolve the conflicts first.

[mahdirajaee]

Good security hygiene improvement. Extracting the three ${{ github.event.inputs.* }} expressions from the run: block into env: mappings is the correct mitigation for script injection via crafted workflow dispatch inputs. The tj-actions/changed-files supply chain attack reference in the PR description is well-chosen context for why even org-owned actions benefit from SHA pinning.

The implementation is mechanically correct -- the SHA ff9acae5886d41a99ed4ec14b7dc147d55834722 for claude-code-action@v1.0.77 is preserved with a version comment for maintainability. One suggestion: it might be worth adding a note in the workflow file or contributing docs that future action version bumps should update the SHA and the comment together, since it is easy to update the comment tag without updating the hash (or vice versa), which would silently drift. Tools like Dependabot or Renovate can automate this if configured for GitHub Actions. Overall this is a straightforward, low-risk hardening change.

[dagecko]

Conflicts resolved — rebased onto current main. The upstream rewrite of translate-i18n-claude.yml replaced the old workflow_dispatch block, so I kept the new logic and re-applied the expression extraction on top (3 github.event.inputs.* refs moved from inline run: to env: vars). YAML validated, ready for re-review.