fix(core): rewrite action version checker with extracted scripts

[nerdalytics]

Summary

• Fix broken check-action-versions.yml that falsely reports all actions are up to date
• Extract 275 lines of inline bash into 9 standalone scripts in .github/scripts/
• Add input sanitization for tag names and SHAs before sed interpolation
• Update Biome schema to 2.4.7 and fix formatting/lint violations from Biome 2.4 upgrade

Bugs Fixed

1. SHA-pinned actions always skipped — script detected 40-char hex SHA and skipped comparison, meaning no action was ever checked
2. Annotated tag dereferencing inverted — was checking object.type == "commit" then dereferencing again (backwards)
3. PR targeted main instead of trunk
4. Biome schema mismatch — CI installs version: latest via biomejs/setup-biome, but trunk's schema was pinned to 2.3.14. Biome 2.4.x expanded noNegationElse to cover !==/!=, graduated 24 nursery rules to recommended, and changed organizeImports to sort bare exports.

Scripts

Script	Purpose
scan-actions.sh	Parse uses: lines, extract action/SHA/version comment
resolve-latest.sh	Fetch latest release tags, resolve to commit SHAs
compare-actions.sh	SHA-based comparison, detect outdated actions
generate-report.sh	Build markdown report table
apply-updates.sh	Sed-replace action SHAs with strict input validation
manage-issue.sh	Create/update security issue
commit-changes.sh	Branch, stage, commit
manage-pr.sh	Push and create PR targeting trunk
close-if-current.sh	Clean up issue/PR when all current

Test plan

• Trigger workflow via workflow_dispatch and verify it correctly detects outdated actions
• Verify scan output captures all unique actions with version comments
• Verify outdated actions get reported with correct current/latest versions
• Verify PR is created targeting trunk (not main)