Add Scorecard workflow for supply-chain security analysis

[unclesp1d3r]

This workflow runs Scorecard analysis for supply-chain security on the main branch and schedules it weekly.

[coderabbitai]

Summary by CodeRabbit

• Chores
  • Added an automated supply-chain security workflow that runs on code changes and schedules, generates security assessment reports, uploads artifacts, and publishes results to code scanning; includes configurable options for token/permission setup and repository visibility.

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/scorecard.yml that runs OSSF Scorecard analysis on pushes and scheduled branch-protection triggers, uploads SARIF results, and can publish results to GitHub code-scanning with configurable permissions and token guidance. (49 words)

Changes

Cohort / File(s)	Summary
GitHub Actions Security Workflow .github/workflows/scorecard.yml	Added a workflow that runs OSSF Scorecard via ossf/scorecard-action, checks out the repo, writes results.sarif, uploads the SARIF artifact, and optionally publishes code-scanning results. Includes scheduled and push triggers, minimal default permissions, and commented guidance for token/permission adjustments.

Sequence Diagram(s)

sequenceDiagram
    participant GitHub as GitHub (Events)
    participant Actions as Actions Runner
    participant Scorecard as ossf/scorecard-action
    participant Artifact as SARIF Artifact Storage
    participant CodeScan as GitHub Code Scanning API

    GitHub->>Actions: trigger workflow (push / schedule)
    Actions->>Scorecard: run analysis on repo
    Scorecard-->>Actions: produce results.sarif
    Actions->>Artifact: upload results.sarif (artifact)
    alt publish_results enabled
        Actions->>CodeScan: upload SARIF to code-scanning
        CodeScan-->>GitHub: store/code-scanning insights
    end

Loading

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~10 minutes

Poem

🐰 I hopped through code to find each trace,
I scanned the chains in every place,
A SARIF bag clutched to my paws,
I left small notes and handy laws,
Securely hopping on my way — hooray! 🥕

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately and concisely describes the main change: adding a Scorecard workflow for supply-chain security analysis, which matches the changeset that introduces a new GitHub Actions workflow file.
Description check	✅ Passed	The description is directly related to the changeset, explaining that the workflow runs Scorecard analysis for supply-chain security on the main branch with weekly scheduling, which aligns with the workflow file additions.
Docstring Coverage	✅ Passed	No functions found in the changed files to evaluate docstring coverage. Skipping docstring coverage check.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Post copyable unit tests in a comment
• Commit unit tests in branch Add-OSSF-Scorecard-Scanning

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[dosubot]

Related Documentation

Checked 21 published document(s) in 1 knowledge base(s). No updates required.

^{How did I do? Any feedback?}  

[Copilot]

Pull request overview

Adds an OpenSSF Scorecard GitHub Actions workflow to evaluate supply-chain security posture and publish results (SARIF artifact + code scanning upload) on the default branch and on a weekly schedule.

Changes:

• Introduces a new scorecard.yml workflow with push and schedule triggers (plus branch_protection_rule).
• Runs ossf/scorecard-action and publishes results to GitHub code scanning and as an artifact.

[unclesp1d3r]

@copilot open a new pull request to apply changes based on the comments in this thread

[Copilot]

@unclesp1d3r I've opened a new pull request, #139, to work on those changes. Once the pull request is ready, I'll request review from you.