chore: harden OpenSSF Scorecard posture

[joshua-temple]

What this change does

Raises the suite's OpenSSF Scorecard posture and tidies the checks UI:

• Vulnerabilities: bumps the Go toolchain directive from 1.25.0 to 1.25.11 across every module (and go.work), clearing all 22 flagged stdlib advisories. osv-scanner now reports zero stdlib findings.
• Pinned-Dependencies: pins every external GitHub Action to a full commit SHA (with a version comment) across all workflows.
• SAST: adds a CodeQL workflow (Go, build-mode: manual tracing the in-workspace modules) on PRs, pushes to main, and weekly.
• Dependency hygiene: broadens Dependabot's gomod coverage from two modules to every module, so transitive advisories in the SDK-backed sink destinations (x/crypto, x/net, x/sys, and the cloud SDKs) get swept too.
• Checks UI: regroups the test matrices into two collapsible trees via reusable workflows — state machine tests (engine/telemetry/transport/etc.) and sink (in-workspace sink race tests + the SDK-destination matrix + the integration leg) — instead of dozens of flat top-level sink-destinations (…) / integration (…) checks. Same coverage, far less sprawl; gate still aggregates everything.

Why

Scorecard flagged 22 stdlib advisories (all from the pinned 1.25.0 patch), unpinned actions, and no SAST. After the toolchain bump the only remaining dependency vulns are transitive and confined to the optional SDK sink destinations; the consumer-facing core is clean. Broadening Dependabot is the durable fix for those rather than a one-off manual bump. Snyk was considered and dropped as redundant with Dependabot plus the existing govulncheck gate.

Relates to: https://securityscorecards.dev/viewer/?uri=github.com/stablekernel/crucible

Maintainer follow-ups

• Coverage reporting (Codecov) was dropped from this PR pending org approval; it can land separately once approved.
• Code Climate: onboard the repo at codeclimate.com, then add its maintainability badge (the snippet needs the repo-specific reporter ID, which only the maintainer can mint).

Checklist

• Commits are signed off (git commit -s) per the DCO
• Conventional commit messages (type: subject)
• mage check passes locally — validated via go build, osv-scanner, and actionlint; the full mage check runs in CI
• Tests added/updated — n/a (CI/build configuration only)
• Public API changes — none

[github-advanced-security]

You are seeing this message because GitHub Code Scanning has recently been set up for this repository, or this pull request contains the workflow file for the Code Scanning tool.

What Enabling Code Scanning Means:

• The 'Security' tab will display more code scanning analysis results (e.g., for the default branch).
• Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results.
• You will be able to see the analysis results for the pull request's branch on this overview once the scans have completed and the checks have passed.

For more information about GitHub Code Scanning, check out the documentation.