security: address 22 of 25 OSSF Scorecard findings

[prodnull]

Summary

Remediates 22 of the 25 open OSSF Scorecard code-scanning findings on main (d2744fe baseline). Splits into two logical commits:

1. Pinned-Dependencies (16 alerts + 3 npm/pip + 1 npm-ci-not-lockfile) — pin GitHub Actions by commit SHA, container images by sha256 digest, npm/pip install targets to exact versions, npm install → npm ci in the demo recorder.
2. Token-Permissions (3 alerts) + CodeQL missing-workflow-permissions (2 alerts) — move write-scope GITHUB_TOKEN permissions off the workflow top level and onto only the jobs that actually need them. Adds an explicit permissions: contents: read block to mac-policy.yml, which previously had none.

Not remediated in this PR

Alert	Rule	Reason
#19	Code-Review	Requires PR-with-approval flow; this PR contributes to closing it.
#20	Maintained	Time-based (repo <90 days old); auto-resolves.
#21	CII-Best-Practices	External badge; file separately at https://bestpractices.coreinfrastructure.org/.
#22	Vulnerabilities	7 flagged RUSTSEC advisories; some already ignored in deny.toml with rationale. Needs a focused audit pass — separate PR.
#2	Token-Permissions (jobLevel contents: write in release.yml release job)	Intentional — the release job must create the GitHub Release and upload assets. Not a Scorecard false positive but a genuinely required write.

Refresh query

gh api repos/prodnull/prmana/code-scanning/alerts --paginate \
  | jq -r '.[] | select(.state=="open") | "\(.number)\t\(.rule.name)\t\(.most_recent_instance.location.path // "n/a"):\(.most_recent_instance.location.start_line // 0)"'

Scorecard alerts addressed

• Pinned-Dependencies: deps(java): bump the java-all group in /java-oauth-dpop with 3 updates #7, deps(rust): bump the rust-all group with 13 updates #8, deps(actions): bump the actions-all group with 22 updates #9, fix(CI): TPM test_certify fails due to stale NV index #10, fix(CI): Keycloak health check uses unmapped port 9000 #11, fix(CI): IdP template verification times out on free runners #12, security: address 22 of 25 OSSF Scorecard findings #13, Interoperability with pam_authnft — per-session kernel-enforced network policy from OIDC claims #14, fix(tpm): remove unused test_config helper #16, docs: ADR-026 and TB-8 for kernel keyring session claims #17, docs: reconcile license triad and accept DCO alongside Gitsign #18, ci: remove redundant CodeQL job (default setup handles it) #23, deps(java): bump the java-all group across 1 directory with 3 updates #24, deps(rust): bump the rust-all group with 15 updates #25, deps(actions): bump the actions-all group with 24 updates #26
• Token-Permissions: deps(rust): bump the rust-all group with 13 updates #4, deps(actions): bump the actions-all group across 1 directory with 22 updates #5, deps(python): bump the python-all group in /python-oauth-dpop with 3 updates #6
• actions/missing-workflow-permissions: deps(actions): bump the actions-all group across 1 directory with 25 updates #30, deps(rust): bump the rust-all group across 1 directory with 17 updates #31

Test plan

• All modified workflow YAML parses cleanly (python3 -c 'import yaml; yaml.safe_load(open(f))').
• Image digests resolved against live Docker Hub registry (OCI index + Docker v2 manifest accept headers).
• GitHub Action SHAs resolved from annotated-tag dereference via gh api.
• npm/pip package versions are current upstream stable at time of commit.
• CI runs on this PR: Pages deploy (pinned actions), Validate Documentation (pinned npm), CI (pinned pip), mac-policy (new permissions block) all pass.
• Scorecard workflow re-run after merge closes at least 20 of the targeted alerts.

Signed commits (GPG 9D5E79FBDC9AB54D).

🤖 Generated with Claude Code