v0.16.5

Security / supply-chain hardening (CI only — engine unchanged, ruleset 17)

• All GitHub Actions pinned to full commit SHA (with a version comment) across CI, CodeQL, Release, and the composite action.yml — removes the mutable-tag supply-chain risk.
• Least-privilege permissions: declared at the top of every workflow.
• OpenSSF Scorecard workflow + README badge (weekly supply-chain posture check, published to Code Scanning and the OpenSSF registry).
• Dependabot for the github-actions ecosystem, so pinned SHAs are auto-updated.

No engine/detection or report-schema change — ruleset 17, report schema 1.3. Install: pip install skilltotal==0.16.5.