Tighten workflow version file checks to include CHANGELOG.md

[mfoltz]

Motivation

• Enforce immutability for every canonical repo-owned version metadata file so CI cannot accidentally modify tracked version information during the build/publish flows.

Description

• Update .github/workflows/build.yml to add a short explanatory comment and include CHANGELOG.md in the git diff --exit-code -- ... guard (replacing git diff --exit-code -- "$csproj" thunderstore.toml) in the build_verification, publish_prerelease, and publish_feature_testing_prerelease steps so the same canonical file set is checked consistently.

Testing

• Ran rg -n "Verify canonical version files remain unchanged|git diff --exit-code --|Canonical repo-owned version files" .github/workflows/build.yml, git diff -- .github/workflows/build.yml, and git show --stat --oneline --decorate=short HEAD; all commands returned the expected results and completed successfully.

---

Codex Task

[Copilot]

Pull request overview

This PR tightens the CI immutability guard in .github/workflows/build.yml so that all canonical, repo-owned version metadata files are consistently checked for unintended modifications during CI runs.

Changes:

• Adds an explanatory comment clarifying the intent of the immutability guard.
• Extends the existing git diff --exit-code -- ... guard to include CHANGELOG.md alongside the discovered .csproj and thunderstore.toml.
• Applies the same canonical file set consistently across build_verification, publish_prerelease, and publish_feature_testing_prerelease.