The actions actions/checkout@v4, ossf/scorecard-action@v2.3.1, and github/codeql-action/upload-sarif@v3 are not allowed in hyperpolymath/universal-language-server-plugin because all actions must be pinned to a full-length commit SHA.