Pin tj-actions/changed-files to commit hash

[joebowbeer]

Per GitHub security recommendations, all (3rd-party) actions should be pinned to a commit hash because these version tags are mutable.

Consider adding codeql to this repo.

https://github.com/github/codeql/blob/main/actions/ql/src/Security/CWE-829/UnpinnedActionsTag.md

Originally posted by @joebowbeer in d504c54