ci: set up OpenSSF Scorecard workflow

[step-security-bot]

Summary

This pull request is created by StepSecurity at the request of @gustavkj. Please merge the Pull Request to incorporate the requested changes. Please tag @gustavkj on your message if you have any questions related to the PR.

Security Fixes

Add OpenSSF Scorecard Workflow

OpenSSF Scorecard is an automated tool that assesses a number of important heuristics ("checks") associated with software security and assigns each check a score of 0-10. You can use these scores to understand specific areas to improve in order to strengthen the security posture of your project.

Scorecard workflow also allows maintainers to display a Scorecard badge on their repository to show off their hard work.

• The Open Source Security Foundation (OpenSSF) Scorecard

Feedback

For bug reports, feature requests, and general feedback; please email [email protected]. To create such PRs, please visit https://app.stepsecurity.io/securerepo.

Signed-off-by: StepSecurity Bot [email protected]

[gustavkj]

@lindell I'm thinking that it might be nice to run this workflow to make sure that the score is up-to-date. Then later maybe, we want to add the badge to the readme.

I'm thinking it is probably good to remove some of the auto-generated comments from the workflow file, as it is quite noisy right now. Do you agree?

[lindell]

I'm thinking it is probably good to remove some of the auto-generated comments from the workflow file, as it is quite noisy right now. Do you agree?

Agree. Seems that a lot of comments are there to guide the setup.

[gustavkj]

@lindell I've updated the workflow. I think it looks fine. It is optional to upload it to Github as well, but I think it's probably nice to be able to see it here as well.

[github-actions]

Included in release v0.48.1 🎉