Add OpenSSF Scorecard GHA - weekly

[swcurran]

Copies the Fabric version of this GHA, with the only changes being removal of the Fabric copyright comment and the change of the day of the week the job runs.

Might be nice to run immediately and see where we are.

Once we have the scorecard, we can investigate what other updates we want to do to improve the score.

[WadeBarnes]

I'd like to see the actions updated to use the version tags rather than the commit hashes. It will be easier for Dependabot to monitor for updates.

Otherwise LGTM

[swcurran]

Checked the OpenSSF Repo and they are doing that as well — https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml

I’d say we leave it as this for now.

What would we change it to if we did change it?

[WadeBarnes]

Checked the OpenSSF Repo and they are doing that as well — https://github.com/ossf/scorecard/blob/main/.github/workflows/scorecard-analysis.yml

I’d say we leave it as this for now.

What would we change it to if we did change it?

Example:

uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1

=>

uses: actions/checkout@v4

[swcurran]

Updated 3 out of 4. Didn’t know what to do with the other one…suggestions?

[WadeBarnes]

The versions need to be specified as valid tags.

[sonarcloud]

Quality Gate passed

Issues
0 New issues
0 Accepted issues

Measures
0 Security Hotspots
No data about Coverage
No data about Duplication

See analysis details on SonarCloud

[swcurran]

Changes made -- should be good now. I hope.

Back to you @WadeBarnes !