fix: pin 5 unpinned action(s), extract 1 unsafe expression(s) to env vars

[dagecko]

Re-submission of #1773. Had a problem with my fork and had to delete it, which closed the original PR. Apologies for the noise.

Summary

This PR pins all GitHub Actions to immutable commit SHAs instead of mutable version tags and extracts expressions from run: blocks into env: mappings.

• Pin 5 unpinned actions to full 40-character SHAs
• Add version comments for readability
• Extract 1 expression from run block to env var

Changes by file

File	Changes
azure-static-web-apps-ashy-river-0debb7803.yml	Pinned Azure/static-web-apps-deploy (x2)
links.yml	Pinned lycheeverse/lychee-action, peter-evans/create-issue-from-file
lock.yml	Pinned OSDKDev/lock-issues
daily-repo-status.lock.yml	Extracted ${{ github.token }} → GITHUB_TOKEN env var

How to verify

Review the diff — each change is mechanical and preserves workflow behavior:

• SHA pinning: action@v3 becomes action@abc123 # v3 — original version preserved as comment
• Expression extraction: ${{ expr }} in run: moves to env: block, referenced as "${ENV_VAR}" in the script
• No workflow logic, triggers, or permissions are modified

I wrote a scanner called Runner Guard and open sourced it here so you can scan yourself if you want to. Also put up a link to my research on Twitter if you're interested.

If you have any questions, reach out. I'll be monitoring comms.

- Chris Nyhuis (dagecko)