ci: harden GitHub Actions workflows

Pin workflow actions to commit SHAs, set explicit permissions and timeouts, update Ubuntu runners, and include the generated action bundle.

Co-Authored-By: Codex <noreply@openai.com>

.github/workflows/codeql-analysis.yml

@@ -6,19 +6,24 @@ on:
       - main
   pull_request:
 
+permissions:
+  security-events: write
+  contents: read
+
 jobs:
   CodeQL-Build:
-    runs-on: ubuntu-22.04
+    runs-on: ubuntu-24.04
+    timeout-minutes: 20
     steps:
-      - uses: actions/checkout@v4
+      - uses: actions/checkout@34e114876b0b11c390a56381ad16ebd13914f8d5 # v4.3.1
 
       - name: Initialize CodeQL
-        uses: github/codeql-action/init@v3
+        uses: github/codeql-action/init@1521896cd211af95be3f02edf6f436e10b819c27 # v3.35.4
         with:
           languages: javascript
 
       - name: Autobuild
-        uses: github/codeql-action/autobuild@v3
+        uses: github/codeql-action/autobuild@1521896cd211af95be3f02edf6f436e10b819c27 # v3.35.4
 
       - name: Perform CodeQL Analysis
-        uses: github/codeql-action/analyze@v3
+        uses: github/codeql-action/analyze@1521896cd211af95be3f02edf6f436e10b819c27 # v3.35.4