fix(security): OpenSSF Scorecard compliance fixes

- CodeQL: Changed language matrix from ['javascript', 'python', 'go', 'java', 'ruby'] to ['actions']
  (Rust is not supported by CodeQL; 'actions' scans workflow files)
- SHA-pinned all GitHub Actions:
  - dtolnay/rust-toolchain@stable -> @6d9817901c499d6b02debbb57edb38d33daa680b
  - Swatinem/rust-cache@v2 -> @ad397744b0d591a723ab90405b7247fac0e6b8db
  - codecov/codecov-action@v5 -> @671740ac38dd9b0130fbe1cec585b89eea48d3de
  - editorconfig-checker/action-editorconfig-checker@main -> @9f8f6065f4db902c0c56cafa67cea18b3ebbb680
  - slsa-framework/slsa-github-generator@v2.1.0 -> @f7dd8c54c2067bafc12ca7a55595d5ee9b75204a
- Removed duplicate rust.yml workflow (subset of rust-ci.yml)
- Updated STATE.scm with security fixes session

Addresses Token-Permissions and Pinned-Dependencies checks.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude Opus 4.5 <noreply@anthropic.com>

Author: Jonathan D.A. Jewell

.github/workflows/codeql.yml

@@ -19,7 +19,7 @@ jobs:
     strategy:
       fail-fast: false
       matrix:
-        language: ['javascript', 'python', 'go', 'java', 'ruby']
+        language: ['actions']
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
 

.github/workflows/generator-generic-ossf-slsa3-publish.yml

@@ -65,7 +65,7 @@ jobs:
       actions: read   # To read the workflow path.
       id-token: write # To sign the provenance.
       contents: write # To add assets to a release.
-    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@v2.1.0
+    uses: slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml@f7dd8c54c2067bafc12ca7a55595d5ee9b75204a # v2.1.0
     with:
       base64-subjects: "${{ needs.build.outputs.digests }}"
       upload-assets: true # Optional: Upload to a new release

.github/workflows/quality.yml

@@ -34,7 +34,7 @@ jobs:
           find . -type f -size +1M -not -path "./.git/*" | head -10 || echo "No large files"
       
       - name: EditorConfig check
-        uses: editorconfig-checker/action-editorconfig-checker@main
+        uses: editorconfig-checker/action-editorconfig-checker@9f8f6065f4db902c0c56cafa67cea18b3ebbb680 # main
         continue-on-error: true
 
   docs:

.github/workflows/rust-ci.yml

@@ -14,10 +14,10 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
         with:
           components: rustfmt, clippy
-      - uses: Swatinem/rust-cache@v2
+      - uses: Swatinem/rust-cache@ad397744b0d591a723ab90405b7247fac0e6b8db # v2
 
       - name: Check formatting
         run: cargo fmt --all -- --check
@@ -37,7 +37,7 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
       - name: Install cargo-audit
         run: cargo install cargo-audit
       - name: Security audit
@@ -51,11 +51,11 @@ jobs:
       contents: read
     steps:
       - uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
-      - uses: dtolnay/rust-toolchain@stable
+      - uses: dtolnay/rust-toolchain@6d9817901c499d6b02debbb57edb38d33daa680b # stable
       - name: Install tarpaulin
         run: cargo install cargo-tarpaulin
       - name: Generate coverage
         run: cargo tarpaulin --out Xml
-      - uses: codecov/codecov-action@v5
+      - uses: codecov/codecov-action@671740ac38dd9b0130fbe1cec585b89eea48d3de # v5
         with:
           files: cobertura.xml

.github/workflows/rust.yml

@@ -7,16 +7,19 @@
 
 (define current-position
   '((phase . "v0.1 - Initial Setup")
-    (overall-completion . 25)
-    (components ((rsr-compliance ((status . "complete") (completion . 100)))))))
+    (overall-completion . 40)
+    (components ((rsr-compliance ((status . "complete") (completion . 100)))
+                 (security-fixes ((status . "complete") (completion . 100)))))))
 
 (define blockers-and-issues '((critical ()) (high-priority ())))
 
 (define critical-next-actions
   '((immediate (("Verify CI/CD" . high))) (this-week (("Expand tests" . medium)))))
 
 (define session-history
-  '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added")))))
+  '((snapshots ((date . "2025-12-15") (session . "initial") (notes . "SCM files added"))
+               ((date . "2025-12-15") (session . "security-fixes")
+                (notes . "OpenSSF Scorecard fixes: SHA-pinned actions, fixed CodeQL matrix, removed duplicate workflow")))))
 
 (define state-summary
-  '((project . "proof-of-work") (completion . 25) (blockers . 0) (updated . "2025-12-15")))
+  '((project . "proof-of-work") (completion . 40) (blockers . 0) (updated . "2025-12-15")))