security: pin all GitHub Actions to SHA hashes

Pin codeql-action/init, autobuild, analyze, and upload-sarif to SHA
6624720a57d4c312633c7b953db2f2da5bcb4c3a (v3) per OpenSSF Scorecard
Pinned-Dependencies check.

Auto-fixed by: gitbot-fleet/fix-unpinned-actions.sh
Recipe: recipe-scorecard-pinned-dependencies

Co-Authored-By: Claude Opus 4.6 <noreply@anthropic.com>

Author: hyperpolymath

.github/workflows/codeql.yml

@@ -27,14 +27,14 @@ jobs:
         uses: actions/checkout@93cb6efe18208431cddfb8368fd83d5badbf9bfd # v5
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
         with:
           languages: ${{ matrix.language }}
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
         with:
           category: "/language:${{matrix.language}}"

.github/workflows/scorecard.yml

@@ -31,6 +31,6 @@ jobs:
           publish_results: true
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v3
+        uses: github/codeql-action/upload-sarif@6624720a57d4c312633c7b953db2f2da5bcb4c3a # v3
         with:
           sarif_file: results.sarif