openssf scorecard suggested improvements

.github/workflows/pypi.yml

@@ -26,6 +26,8 @@ jobs:
       id-token: write
     steps:
       - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+        with:
+          ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
 
       - name: Determine version/tag
         id: version

.github/workflows/release-docker.yml

@@ -48,6 +48,8 @@ jobs:
     # otherwise just use the SHA tied to the release / manual dispatch.
     # -----------------------------------------------------------------------
     - uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
+      with:
+        ref: ${{ github.event_name == 'workflow_run' && github.event.workflow_run.head_sha || github.sha }}
 
     # -----------------------------------------------------------------------
     # Decide which tag we’re going to publish

.github/workflows/release-provenance.yml

@@ -10,7 +10,7 @@ jobs:
   # Compute SHA256 hashes of all release assets
   hash:
     name: Compute artifact hashes
-    runs-on: ubuntu-latest
+    runs-on: ubuntu-24.04
     permissions:
       contents: read
     outputs:

SECURITY.md

@@ -2,11 +2,6 @@
 
 ## Reporting a Vulnerability
 
-If you discover a security vulnerability in Kingfisher, please report it
-responsibly. **Do not open a public GitHub issue.**
-
-## Reporting a Vulnerability
-
 If you discover a security vulnerability in Kingfisher, please follow MongoDB's responsible disclosure process:
 
 - **Do not publicly disclose the vulnerability.**