ci(telegram): add SHA-256 to file captions + cross-link main channel to files channel

Two changes on top of last commit:

1. SHA-256 ("تایید اصالت") now in every file caption. Each artifact's
   caption gets a `<code>...</code>` line with the file's SHA-256 hex
   so recipients can `sha256sum <file>` after download and verify it
   matches what the channel posted. Defends against modified copies
   if the channel ever gets relayed through a third party.

   For chunked uploads (file > 45 MB), each part shows BOTH:
   - SHA-256 of that specific part (verifies the chunk downloaded
     intact before bothering to reassemble)
   - SHA-256 of the full reassembled file (verifies the final result
     after `cat <name>.part_* > <name>`)

2. Main channel post is now a cross-link, not files.

   Previously the legacy `telegram` job in release.yml posted the
   universal APK + full changelog as one sendDocument + sendMessage
   pair to the main announcement channel.

   New behaviour: telegram-publish-files.yml's last step posts a short
   message to the main channel saying "v1.8.0 released, click here
   for files" with a t.me link pointing at the files channel's
   announcement anchor post. Recipients land on the anchor, scroll
   to find the platform-specific artifact they need.

   Link format: `t.me/c/<chat_id>/<msg>` for private channels (works
   for members), or `t.me/<username>/<msg>` if `FILES_CHANNEL_USERNAME`
   repo variable is set (works for everyone — useful if the files
   channel is later made public).

   Legacy telegram job in release.yml stays in source, dormant,
   gated on `vars.TELEGRAM_NOTIFY_ENABLED == 'true'` (default false).
   Comment updated to note the new workflow is the canonical path.
   If both are turned on at once, the main channel gets two posts
   per release.

Tested manually for syntax + caption rendering — actual SHA-256 values
will appear on the next workflow_dispatch run.

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

.github/workflows/telegram-publish-files.yml

@@ -99,12 +99,23 @@ jobs:
       - name: Publish files to Telegram channel
         env:
           BOT_TOKEN: ${{ secrets.TELEGRAM_BOT_TOKEN }}
-          # The target channel — supergroup-style negative ID. Hard-coded
+          # The files channel — supergroup-style negative ID, hard-coded
           # rather than templated as a repo variable because there's only
           # ever one of these and putting it in source makes the workflow
-          # auditable. The bot token (`secrets.TELEGRAM_BOT_TOKEN`)
-          # already has post permissions on this channel.
+          # auditable. The bot token already has post permissions there.
           CHAT_ID: '-1003966234444'
+          # The main announcement channel. Receives a single cross-link
+          # message per release pointing at the file-channel anchor post,
+          # instead of the previous behaviour of attaching the universal
+          # APK + full changelog. Sourced from the same secret the
+          # legacy `telegram` job in release.yml used.
+          MAIN_CHAT_ID: ${{ secrets.TELEGRAM_CHAT_ID }}
+          # Optional: if the files channel later gets a public username,
+          # set the repo variable `FILES_CHANNEL_USERNAME` (without the
+          # `@`) so the cross-link uses the prettier `t.me/<name>/<msg>`
+          # form instead of `t.me/c/<id>/<msg>` (which only resolves for
+          # channel members).
+          FILES_CHANNEL_USERNAME: ${{ vars.FILES_CHANNEL_USERNAME }}
         run: |
           if [ -z "${BOT_TOKEN:-}" ]; then
             echo "::error::TELEGRAM_BOT_TOKEN not set; can't publish"