Fix token permissions and pin dependencies

[gmmajal]

Relevant issue: #65

Background info: # any relevant background info for additional context, references to documentations etc.

• Our scorecard action has flagged some unpinned dependencies and unset token permissions.
• One of the unpinned dependencies was the codeql-action inside the scorecard.yml file. We should add the commit hash with the action.
• The permissions need to be set at the workflow level. Following the recommendation provided by zizmor docs here: https://docs.zizmor.sh/audits/#excessive-permissions, we have disabled all permissions at the workflow level. Permissions are defined at the individual job level. This helps in preserving the principle of least privilege.
• The checkout action can be further hardened by setting persist-credentials to false. Please refer to the zizmor docs here: https://docs.zizmor.sh/integrations/#via-zizmorcorezizmor-action.
• There were some packages flagged in our Dockerfile which were not pinned with a hash. One of them was the base python image being used. We should add the hash digest along with the image.
• The other unpinned dependencies were of the extra packages used by the qualle image that is generated after running the Dockerfile. One approach would be to separate them out in a requirements.txt file and add the hash provided by PyPI inside the requirements.txt file. Unfortunately, this approach failed for a few reasons. Not all of the sub-dependencies of the required packages provide a pinned version. This is a strict requirement from pip if we are to run its hash checking mode. This could be resolved if add the flag --no-deps when using pip but then we lose packages needed by poetry. As a result the subsequent RUN poetry run commands in the Dockerfile fail. Trying to build the image locally failed continuously for all of the aforementioned options. Its best not to touch the Dockerfile any further as there doesn't seem to be any straightforward way to install the packages with a pinned hash.

Changes introduced: # list changes to the code repo made in this pull request

• The codeql-action has been pinned with its commit hash now.
• The token permissions at the workflow level have been disabled. They are set individually at the job level.
• All instances of the checkout action have persist-credentials set to false.
• The base python image inside the Dockerfile has been updated to trixie from bullseye. It is more recent and has fewer vulnerabilities. The hash digest is included as well. The qualle image was built locally and tested. It is working fine with the new trixie base image.

[codecov-commenter]

⚠️ Please install the to ensure uploads and comments are reliably processed by Codecov.

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 100.00%. Comparing base (bb40264) to head (e0c778d).
⚠️ Report is 9 commits behind head on master.

Additional details and impacted files

@@            Coverage Diff            @@
##            master       #72   +/-   ##
=========================================
  Coverage   100.00%   100.00%           
=========================================
  Files           22        22           
  Lines          905       905           
=========================================
  Hits           905       905           

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[annakasprzik]

I don't see any issues.