SHA-pin GitHub Actions and upgrade deprecated checkout versions

- Upgrade actions/checkout from v2/v3 to SHA-pinned v4
- SHA-pin all unshelled action tags (pages, CodeQL, scorecard,
  rust-cache, upload/download-artifact, setup-node, cache)
- Standardise scorecard-action to v2.4.0
- Fix setup-node@v6 → SHA-pinned v4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/codeql.yml

@@ -74,7 +74,7 @@ jobs:
 
     # Initializes the CodeQL tools for scanning.
     - name: Initialize CodeQL
-      uses: github/codeql-action/init@v4
+      uses: github/codeql-action/init@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
       with:
         languages: ${{ matrix.language }}
         build-mode: ${{ matrix.build-mode }}
@@ -103,6 +103,6 @@ jobs:
         exit 1
 
     - name: Perform CodeQL Analysis
-      uses: github/codeql-action/analyze@v4
+      uses: github/codeql-action/analyze@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
       with:
         category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -20,12 +20,12 @@ jobs:
           persist-credentials: false
 
       - name: Run Scorecard
-        uses: ossf/scorecard-action@v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
 
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
         with:
           sarif_file: results.sarif