chore: increase security level in workflows and README

[Copilot]

Hardens CI/CD supply chain security by pinning actions to immutable commit SHAs, restricting GITHUB_TOKEN permissions, and adding an OpenSSF Scorecard badge.

Changes

• Pin all actions to SHA across all four workflows (test-package.yml, pre-commit-autoupdate.yml, update-data.yml, create-release.yml) — version tag preserved as inline comment:

  uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6

• Fix create-release.yml permissions — no top-level permissions block meant the job inherited repo-default token scopes (potentially write-all). Now:

  permissions: {}          # deny-all at workflow level
  
  jobs:
    build:
      permissions:
        contents: write    # create GitHub release + checkout
        id-token: write    # PyPI OIDC publish

• Add OpenSSF Scorecard badge to README.md after the ruff badge.

Related issue
?

Checklist before requesting a review

• I have performed a self-review of my code.
• I have added tests for the proposed changes.
• I have run the tests and there are not errors.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 99.18%. Comparing base (cd19d41) to head (7f9f148).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #246   +/-   ##
=======================================
  Coverage   99.18%   99.18%           
=======================================
  Files           8        8           
  Lines         986      986           
=======================================
  Hits          978      978           
  Misses          8        8           

Flag	Coverage Δ
unittests	99.18% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

This PR hardens the repository’s CI/CD supply chain security by pinning GitHub Actions to immutable commit SHAs, tightening default GITHUB_TOKEN permissions (notably for the release workflow), and adding an OpenSSF Scorecard badge to the README.

Changes:

• Pin third-party GitHub Actions to commit SHAs in all workflows (while retaining the original version/branch as an inline comment).
• Add explicit workflow/job permissions in create-release.yml to avoid inheriting broad default token scopes.
• Add an OpenSSF Scorecard badge to README.md.

Reviewed changes

Copilot reviewed 5 out of 5 changed files in this pull request and generated 3 comments.

Show a summary per file

File	Description
README.md	Adds OpenSSF Scorecard badge alongside existing project badges.
.github/workflows/update-data.yml	Pins actions (checkout, setup-python, action-update-file) to SHAs.
.github/workflows/test-package.yml	Pins actions (checkout, setup-python, codecov-action) to SHAs.
.github/workflows/pre-commit-autoupdate.yml	Pins actions (checkout, setup-python, autoupdate, create-pull-request) to SHAs.
.github/workflows/create-release.yml	Deny-by-default workflow permissions and pins all actions to SHAs.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

The job sets contents: write, but the release creation uses WORKFLOWS_CREATE_RELEASE_TOKEN and checkout only needs read access. To keep the hardened permissions: {} approach least-privilege, consider changing this to contents: read unless there's a specific need for write via GITHUB_TOKEN.

Suggested change

	contents: write
	contents: read

[Copilot]

The steps: list items appear to be indented at the same level as the steps: key (e.g., - uses: ...), which will make the workflow YAML invalid. Indent each step item under steps: so the list is nested correctly.

[Copilot]

This workflow is currently granted contents: write at the workflow level, but the only write operation appears to use a dedicated token (WORKFLOWS_UPDATE_DATA_TOKEN). Consider reducing the workflow/job GITHUB_TOKEN permissions to contents: read (or permissions: {} plus job-level contents: read) to follow least-privilege.