feat(security): add OpenSSF Scorecard workflow and maximize score (#498)

* feat(security): add OpenSSF Scorecard workflow and maximize score - Add scorecard.yml workflow (weekly + push to main) with SARIF upload - Add CONTRIBUTING.md for contributor guidelines - Add SLSA provenance attestation job to release workflow - Add CycloneDX SBOM generation job to release workflow - Pin Dockerfile base images to sha256 digests - Enable Renovate pinDigests and platformAutomerge - Add OpenSSF Scorecard badge to README * fix(docs): address PR #498 review comments and remove .coderabbit.yaml - Delete .coderabbit.yaml (falls back to shared org-level config) - Add missing linter deps to CONTRIBUTING.md install step - Separate make all and make test into distinct steps - Fix line length note to match EditorConfig (200 chars, no MD override) - Add yamllint/markdownlint to YAML/JSON/Markdown linter list - Refine action references guidance - Expand "Adding a New Action" section with action-docs and catalog info
2026-03-09 21:57:11 +00:00 · 2026-03-09 01:59:07 +02:00
parent 34372bcd36
commit a0cc32995f
8 changed files with 295 additions and 86 deletions
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -0,0 +1,37 @@
+---
+# yaml-language-server: $schema=https://json.schemastore.org/github-workflow.json
+name: OpenSSF Scorecard
+
+on:
+  push:
+    branches: [main]
+  schedule:
+    - cron: '0 2 * * 0' # Weekly Sunday 2AM UTC
+
+permissions: {}
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - uses: actions/checkout@71cf2267d89c5cb81562390fa70a37fa40b1305e # v6-beta
+        with:
+          persist-credentials: false
+      - uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+      - uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4.6.2
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+      - uses: github/codeql-action/upload-sarif@0d579ffd059c29b07949a3cce3983f0780820c98 # v4.32.6
+        with:
+          sarif_file: results.sarif