Improve supply chain security

[alpe]

• use Harden Runner in all GH workflows
• use hashes instead of versions in GH workflows
• add OpenSSF Scorecard GH workflow to identify issues
• use cosigner to sign docker image via GH action
• use dependency-review GH action
• add security.md with contact details

I found some nice examples in https://github.com/sozercan/aikit/tree/main/.github/workflows

Not related to supply chain security but code quality

• add codeql GH action
• add linter GH action
• add gosec

[samos123]

I'm all for security improvements, but at the same need to ensure that:

• doesn't make it more painful to do releases and development on the project
• doesn't hurt the UX
• doesn't significantly increase complexity

I think all of your tasks make sense, except Harden Runner might make adding and updating GH workflows a bit more painful, but at the same time it does seem good to prevent malicious PRs as well.