chore: harden GitHub Actions security — pin actions to SHA, restrict permissions, add OpenSSF Scorecard badge

[Copilot]

Increases CI/CD supply chain security by pinning all action references to immutable commit SHAs, enforcing least-privilege permissions, and surfacing the OpenSSF Scorecard rating.

Action pinning — all three workflows now reference actions by full commit SHA with a version comment:

• actions/checkout → de0fac2e (v6.0.2)
• actions/setup-python → a309ff8b (v6.2.0)
• codecov/codecov-action → 57e3a136 (v6.0.0)
• browniebroke/pre-commit-autoupdate-action → f5c3ec85 (v1.0.1, was @main)
• peter-evans/create-pull-request → 5f6978fa (v8.1.1)
• ffurrer2/extract-release-notes → 273da39a (v3.1.0)
• ncipollo/release-action → 339a8189 (v1.21.0)
• pypa/gh-action-pypi-publish → cef22109 (release/v1)

Permission fixes

• pre-commit-autoupdate.yml: moved contents: write + pull-requests: write from top-level to job-level; top-level set to permissions: {}
• create-release.yml: no top-level permissions were defined (inheriting GitHub defaults); added permissions: {} at top-level and explicit contents: write + id-token: write at job-level
• test-package.yml: already minimal (contents: read) — no change

README: Added OpenSSF Scorecard badge after the ruff badge.

Checklist before requesting a review

• I have performed a self-review of my code.
• I have added tests for the proposed changes.
• I have run the tests and there are not errors.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.
✅ Project coverage is 98.33%. Comparing base (7fb996d) to head (0035464).
⚠️ Report is 1 commits behind head on main.

Additional details and impacted files

@@           Coverage Diff           @@
##             main     #174   +/-   ##
=======================================
  Coverage   98.33%   98.33%           
=======================================
  Files          13       13           
  Lines         780      780           
=======================================
  Hits          767      767           
  Misses         13       13           

Flag	Coverage Δ
unittests	98.33% <ø> (ø)

Flags with carried forward coverage won't be shown. Click here to find out more.

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.

[Copilot]

Pull request overview

Hardens the repository’s CI/CD supply-chain security by pinning GitHub Actions to immutable SHAs and tightening default workflow permissions, plus adds an OpenSSF Scorecard badge to the README.

Changes:

• Pin all GitHub Actions uses: references to full commit SHAs (with version comments) across workflows
• Enforce least-privilege permissions by setting workflow-level permissions: {} and explicitly granting job-level permissions where needed
• Add an OpenSSF Scorecard badge to the README

Reviewed changes

Copilot reviewed 4 out of 4 changed files in this pull request and generated 1 comment.

File	Description
README.md	Adds OpenSSF Scorecard badge alongside existing quality/security badges
.github/workflows/test-package.yml	Pins checkout, setup-python, and codecov actions to SHAs
.github/workflows/pre-commit-autoupdate.yml	Moves write permissions to job-level and pins actions to SHAs
.github/workflows/create-release.yml	Adds workflow-level permissions: {}, grants job permissions, and pins actions to SHAs

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[Copilot]

In this workflow the steps: list items are not indented under steps: (e.g., - uses: and subsequent steps are aligned with steps:). This makes the YAML invalid (the list becomes a sibling of steps:) and will prevent the workflow from running. Indent each step item two spaces further so they are children of steps: (consistent with the other workflows in this repo).