Fix CodeQL alerts: pin Alpine image digest, scope release permissions

- Pin Dockerfile.alpine to SHA digest (PinnedDependenciesID)
- Narrow workflow-level permissions to contents:read (TokenPermissionsID)
- Elevated permissions only on release-draft and verify jobs

Author: DeusData

.github/workflows/release.yml

@@ -24,9 +24,7 @@ on:
         default: 'quick'
 
 permissions:
-  contents: write
-  id-token: write
-  attestations: write
+  contents: read
 
 jobs:
   # ── 1. Lint + Security + CodeQL ────────────────────────────────

test-infrastructure/Dockerfile.alpine

@@ -6,7 +6,7 @@
 # Build:  docker build -f test-infrastructure/Dockerfile.alpine -t cbm-alpine test-infrastructure/
 # Run:    docker run --rm -v $(pwd):/src cbm-alpine
 
-FROM alpine:3.21
+FROM alpine:3.21@sha256:a8560b36e8b8210634f77d9f7f9efd7ffa463e380b75e2e74aff4511df3ef88c
 
 RUN apk add --no-cache \
     build-base \