👷 support for OpenSSF Scorecard

.github/workflows/pipelines.yml

@@ -1,12 +1,12 @@
 name: AWS Signature Version 4 Ext. CI/CD Pipeline
 on:
   pull_request:
+    branches: [main]
     paths-ignore:
-      - .codecov
-      - .docfx
-      - .github
-      - .nuget
-      - '**.md' 
+      - .codecov/**
+      - .docfx/**
+      - .nuget/**
+      - '**/*.md'
   workflow_dispatch:
     inputs:
       configuration:

.github/workflows/scorecard.yml

@@ -0,0 +1,42 @@
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '45 17 * * 2'
+  push:
+    branches: [ "main" ]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@v4
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@v3
+        with:
+          sarif_file: results.sarif