ci: harden anchore image scan and pin scan actions

Bump anchore/scan-action to v7.4.0 and fail the build on fixable critical
vulnerabilities. Pin both scan and upload-sarif actions to commit SHAs.

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>

Author: Dibran Mulder

.github/workflows/delivery.yml

@@ -54,16 +54,17 @@ jobs:
           cache-to: type=gha,mode=max
 
       - name: Scan Image
-        uses: anchore/scan-action@v3
+        uses: anchore/scan-action@e1165082ffb1fe366ebaf02d8526e7c4989ea9d2 # v7.4.0
         id: scan
         with:
           image: local/${{ github.repository }}:scan
           only-fixed: true
-          fail-build: false
+          fail-build: true
+          severity-cutoff: critical
           output-format: sarif
 
       - name: Upload Anchore scan SARIF report
-        uses: github/codeql-action/upload-sarif@v4
+        uses: github/codeql-action/upload-sarif@7211b7c8077ea37d8641b6271f6a365a22a5fbfa # v4.36.0
         if: ${{ !cancelled() }}
         with:
           sarif_file: ${{ steps.scan.outputs.sarif }}