fix: pin codeql-action/upload-sarif to SHA in scorecard workflow (#267)

## Summary
- Pin `github/codeql-action/upload-sarif` from tag reference `@v4` to
full commit SHA `@38697555549f1db7851b81482ff19f1fa5c4fedc` (v4.34.1)
- This was the only non-SHA-pinned action reference across all workflow
files
- Fixes OpenSSF Scorecard workflow failure due to org policy requiring
SHA-pinned actions

## Test plan
- [ ] Scorecard workflow runs successfully with the pinned SHA

Author: CybotTM

.github/workflows/scorecard.yml

@@ -30,6 +30,6 @@ jobs:
           publish_results: true
 
       - name: Upload to code-scanning
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@38697555549f1db7851b81482ff19f1fa5c4fedc # v4.34.1
         with:
           sarif_file: results.sarif