fix(ci): disable scorecard publish_results (was 400ing on webapp)

Scorecard analysis runs fine (score 7.0) but publish_results=true POSTs to
the OpenSSF webapp, which rejects the top-level security-events:write perm
(workflow-restrictions). Set publish_results=false; SARIF still uploads to
GitHub code-scanning.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: Patel230

.github/workflows/scorecard.yml

@@ -27,7 +27,7 @@ jobs:
         with:
           results_file: scorecard-results.sarif
           results_format: sarif
-          publish_results: true
+          publish_results: false
 
       - name: Upload artifact
         uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1