Fix Scorecard

[JosephDenman]

Motivation

PR #236 (Improve README and CONTRIBUTING) has been blocked from merging because the Scorecard code scanning check fails with three findings:

• Vulnerabilities: 13 known vulnerabilities in dependencies
• SAST: no static analysis tool detected
• Fuzzing: no fuzzing/property-based testing detected

These are repo-wide issues, not specific to that PR. This PR fixes them so that #236 (and future PRs) can merge cleanly.

Summary

• Harden all 24 GitHub Actions workflows to follow the principle of least privilege: top-level permissions: {} everywhere, with only the minimum grants each job actually needs
• Pin the remaining unpinned action references (actions/cache, actions/setup-python) to commit SHAs
• Add a CodeQL workflow for SAST coverage (Scorecard was flagging its absence)
• Add a fast-check property-based test for VLQ encode/decode roundtrips (Scorecard Fuzzing check)
• Migrate inline test reporting out of compatibility-test, release-test, and several other workflows into the centralized publish-test-results.yml via artifact uploads — same pattern we already use for compiler-extracted and build-vscplugin
• Update scan.yml to use the latest version of upload-sarif-github-action, which lets us configure which Scorecard checks run. I exclude Token-Permissions because it false-positives on release workflows that legitimately need contents: write to create GitHub releases and push tags
• Run cargo update and yarn upgrade to clear known vulnerabilities flagged by Scorecard's Vulnerabilities check

Notes

• The two release workflows (internal-release.yml, public-release.yml) still declare contents: write on their release-creation jobs. This is unavoidable — they need it to push tags and create releases. Excluding the Token-Permissions Scorecard check is the correct fix here since the permission is already scoped to the minimum (single job, manual-trigger-only workflows).
• A few vulnerability findings remain that we can't resolve without major version bumps or waiting on upstream: jsonwebtoken (blocked by octocrab), number_prefix (unmaintained transitive dep from cargo-nextest), and serialize-javascript/diff (locked by mocha).

[github-actions]

Plugin Test Summary

 1 files   3 suites   1s ⏱️
21 tests 21 ✅ 0 💤 0 ❌
23 runs  23 ✅ 0 💤 0 ❌

Results for commit 3c50812.

♻️ This comment has been updated with latest results.

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.

[github-actions]

Compactc E2E Test Summary

2 825 tests   2 825 ✅  5m 49s ⏱️
    1 suites      0 💤
    1 files        0 ❌

Results for commit 3c50812.

♻️ This comment has been updated with latest results.