#1830 update scorecard to v5 (gh action 2.4.0)

[planetf1]

• Updates to use scorecard v5
• re-pinned actions in scorecard.yaml to latest levels
• fixed report of unpinned dependencies in unix.yml
• enabled publishing of scorecard results

Note: Results are published by the openssf team at https://scorecard.dev/viewer/?uri=github.com%2Fopen-quantum-safe%2Fliboqs Enabling our own scan is recommended by openssf, allows us to enable badges, and permits some tweaking of rules The current scan results are here

Fixes #1830

n/a

• [ ] Does this PR change the input/output behaviour of a cryptographic algorithm (i.e., does it change known answer test values)? (If so, a version bump will be required from x.y.z to x.(y+1).0.)
• [ ] Does this PR change the list of algorithms available -- either adding, removing, or renaming? Does this PR otherwise change an API? (If so, PRs in fully supported downstream projects dependent on these, i.e., oqs-provider will also need to be ready for review and merge by the time this is merged.)

No change to crypto. This is build pipeline only.

[github-advanced-security[bot]]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.

[planetf1]

The notice above relates to the scorecard analysis being available as entries under the 'security' tab.

[planetf1]

@SWilson4 though of course I want to get this merged, I'd say leave until after release. It just feels with days to go we should minimize any unncessary changes so seems a good general practice