OSSF Scorecard Tier-1 hardening: token-permissions + pinned-dependencies

[devonartis]

Goal

Lift OSSF Scorecard score from 6.2 → ~7.3 by fixing the two highest-impact, lowest-blast-radius categories:

• Token-Permissions (0 → ~10): move top-level write permissions to job-level in codeql.yml and release.yml.
• Pinned-Dependencies (8 → 10): pin Docker base images by SHA, pin go install govulncheck by commit SHA, hash-pin pip cryptography via new tests/sec-l2b/requirements-ci.txt, add pip ecosystem to Dependabot.

Out of scope (deferred to follow-ups)

• Branch-Protection (-1): needs fine-grained PAT (administration:read) added as repo secret AGENTWRIT_SCORECARD_PAT. Separate one-commit PR after owner provisions.
• Code-Review (0): branch protection rule + reviewer policy decision.
• Maintained (0): auto-fixes 2026-06-30 (repo age gate).
• Fuzzing (0): needs new test code — separate brainstorm.
• CII-Best-Practices (0): external web form at bestpractices.coreinfrastructure.org.
• Contributors (0): needs external contributors.
• Signed-Releases (-1): fixes on next v* tag push.

Artifacts

• Design: ~/proj/devflow/agentwrit/.plans/designs/2026-05-13-ossf-scorecard-tier1-hardening.md
• Spec: ~/proj/devflow/agentwrit/.plans/specs/2026-05-13-ossf-scorecard-tier1-spec.md

Acceptance

1. Scorecard re-run reports Token-Permissions ≥ 8 and Pinned-Dependencies = 10.
2. All 20 existing CI gates pass.
3. tests/sec-l2b/integration.sh passes with the new hash-pinned cryptography install.
4. release.yml cosign keyless signing still works on next main push.
5. Dependabot opens a pip-ecosystem PR within 7 days.

Branch

fix/ossf-scorecard-tier1 from develop.

[devonartis]

Merged via PR #82 (commit 3ecf3fd). All 20 CI gates green. Local acceptance verified before push.