SHA-pin GitHub Actions and upgrade deprecated checkout versions

- Upgrade actions/checkout from v2/v3 to SHA-pinned v4
- SHA-pin all unshelled action tags (pages, CodeQL, scorecard,
  rust-cache, upload/download-artifact, setup-node, cache)
- Standardise scorecard-action to v2.4.0
- Fix setup-node@v6 → SHA-pinned v4

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/scorecard.yml

@@ -20,12 +20,12 @@ jobs:
           persist-credentials: false
 
       - name: Run Scorecard
-        uses: ossf/scorecard-action@v2.3.1
+        uses: ossf/scorecard-action@62b2cac7ed8198b15735ed49ab1e5cf35480ba46 # v2.4.0
         with:
           results_file: results.sarif
           results_format: sarif
 
       - name: Upload results
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
         with:
           sarif_file: results.sarif