Pin all remaining GitHub Actions references to full-length commit SHAs,
matching the convention already established by third-party actions in
this repo. This is a prerequisite for enabling GitHub's "Require actions
to be pinned to a full-length commit SHA" repository ruleset, which
mitigates tag-hijacking supply chain attacks.
After reopening a PR and removing the `missing-issue-link` label, the
`require_issue_link` check still shows as failed on the PR. Because the
default `GITHUB_TOKEN` suppresses event-driven re-triggers, the old red
check persists until the contributor pushes again. This adds a
best-effort re-run of the failed check so the PR's status clears
automatically on assignment.
When the `require_issue_link` workflow closes a PR and posts an
enforcement comment, that comment was never cleaned up after the
situation resolved — leaving a stale "automatically closed" message
visible on reopened PRs. Now all three resolution paths (maintainer
bypass, author fixing the issue link, and contributor assignment)
minimize the enforcement comment as outdated via GraphQL. The cleanup is
best-effort: failures log a warning but never block the primary workflow
logic (label removal, bypass, reopen).
`require_issue_link.yml` auto-closes external PRs when the author isn't
assigned to the linked issue, but there was no trigger to reopen them
when a maintainer later grants the assignment. Contributors had to
manually edit their PR description to trigger re-evaluation — poor UX
that generated repeat questions. This adds a companion workflow that
listens for issue assignment events and reopens matching PRs
automatically.
