ci: replace imposter codeql-action SHA with real v4 pin

[amcheste-ai-agent]

Summary

Follow-up to PR #16. The publish_results fix in #16 will let the Scorecard workflow try to publish on the next Monday scheduled run (the first time this repo has published since the develop-default branch was set). But the pinned SHA on github/codeql-action/upload-sarif is an imposter commit per OSSF Scorecard's anti-supply-chain check, so the publish would fail at the SARIF upload step with:

imposter commit: d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e
does not belong to github/codeql-action/upload-sarif

(Already verified failing on claude-teams-operator for the same reason since at least 2026-04-29.)

Fix

-      - uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4

The new SHA is the real v4 tag commit, verified via:

gh api repos/github/codeql-action/git/refs/tags/v4
→ tag object SHA 5e316336eb4f107009e477d4bfbfff13d7250fae
gh api repos/github/codeql-action/git/tags/5e316336eb4f107009e477d4bfbfff13d7250fae
→ object: { type: commit, sha: 68bde559dea0fdcac2102bfdf6230c5f70eb485e }

Cross-repo status

The same imposter SHA propagated from repo-template into every repo born from it. Companion fixes:

• repo-template — PR #11 (open, includes both publish_results + SHA fixes)
• claude-teams-operator — PR #228 (open, includes table-cell em-dash sweep + scorecard fixes)

Verification

• git diff develop --name-only → exactly .github/workflows/scorecard.yml.
• 1-line change.

No-Linear-Issue: follow-up to PR #16, propagating cross-family scorecard SHA fix

🤖 Generated with Claude Code

[amcheste]

Merge activity

• May 12, 12:31 AM UTC: A user started a stack merge that includes this pull request via Graphite.
• May 12, 12:31 AM UTC: @amcheste merged this pull request with Graphite.