🌱 polish scorecard workflow for use as example workflow

[spencerschrock]

What kind of change does this PR introduce?

workflow update

• PR title follows the guidelines defined in our pull request documentation

What is the current behavior?

Some version comments are out of date.
One actions is out of date

What is the new behavior (if this is a feature change)?**

• Adds version comments
• adds some explanatory comments
• deleted repo_token arg since it will use the GitHub token by default anyway
• Updates github/codeql-action/upload-sarif to the latest release, not sure why dependabot hasn't updated it.

The intent is to use this file as an example for the Scorecard Action repo (see ossf/scorecard-action#1352) so it remains up-to-date through dependabot. Currently the workflow example from the Scorecard Action readme is out of date (see #3968) .

Where possible I tried to make the workflow match our example, in terms of comments.

• Tests for the changes have been added (for bug fixes/features)

Which issue(s) this PR fixes

Related to #3968 and ossf/scorecard-action#1287

Special notes for your reviewer

Does this PR introduce a user-facing change?

For user-facing changes, please add a concise, human-readable release note to
the release-note

(In particular, describe what changes users might need to make in their
application as a result of this pull request.)

NONE

[codecov]

Codecov Report

Merging #3969 (7dd0c0c) into main (5b0ae81) will decrease coverage by 4.49%.
The diff coverage is n/a.

Additional details and impacted files

@@            Coverage Diff             @@
##             main    #3969      +/-   ##
==========================================
- Coverage   75.01%   70.52%   -4.49%     
==========================================
  Files         227      227              
  Lines       16263    16263              
==========================================
- Hits        12199    11469     -730     
- Misses       3290     4067     +777     
+ Partials      774      727      -47