Add Scorecard workflow for supply-chain security and update README wi…

[kpj2006]

…th Scorecard badge

Addressed Issues:

Fixes #(issue number)

Screenshots/Recordings:

Additional Notes:

Checklist

• My code follows the project's code style and conventions
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

• Chores

  • Added an OpenSSF Scorecard workflow (scheduled, branch push, branch-protection and manual triggers) that runs analysis, uploads SARIF results and artifacts, and sets required job permissions.

• Documentation

  • Added an OpenSSF Scorecard badge to the README banner.

[coderabbitai]

Walkthrough

Introduces a new GitHub Actions workflow .github/workflows/scorecard.yml to run OpenSSF Scorecard analysis (cron, branch_protection_rule, push to dev, workflow_dispatch) and adds an OpenSSF Scorecard badge to the README.

Changes

Cohort / File(s)	Summary
Security Workflow .github/workflows/scorecard.yml	Adds a new GitHub Actions workflow named "Scorecard supply-chain security" with an analysis job that hardens the runner, checks out the repo, runs ossf/scorecard-action to generate results.sarif, publishes to api.scorecard.dev, uploads SARIF as artifact (5-day retention), and uploads SARIF to GitHub code scanning. Triggers: branch_protection_rule, weekly schedule (cron), push to dev, workflow_dispatch. Job-level perms: security-events: write, id-token: write.
Documentation README.md	Inserts an OpenSSF Scorecard badge into the README social/banner area immediately after the existing YouTube badge (uses {owner}/{repo} placeholders).

Sequence Diagram(s)

mermaid
sequenceDiagram
participant Trigger as Trigger (cron / push / branch_protection_rule / manual)
participant Runner as GitHub Actions Runner
participant Checkout as Checkout Step
participant Harden as Harden Step
participant Scorecard as ossf/scorecard-action
participant API as api.scorecard.dev
participant Artifact as GitHub Artifacts
participant CodeScan as GitHub Code Scanning

Trigger->>Runner: start workflow
Runner->>Harden: apply runner hardening
Runner->>Checkout: checkout repository (no persisted creds)
Checkout->>Scorecard: invoke Scorecard action (generate results.sarif)
Scorecard->>API: publish results (publish_results: true)
Scorecard->>Artifact: upload results.sarif (5-day retention)
Runner->>CodeScan: upload SARIF to GitHub code scanning

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~15 minutes

Suggested labels

Documentation

Suggested reviewers

• Zahnentferner

Poem

🐰 A hop, a scan, a badge so bright,
I guard the chain by day and night,
SARIF in paw, I upload with care,
Artifacts tucked in a five-day lair,
Hooray — secure and light as air!

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title clearly identifies the main changes: adding a Scorecard workflow for supply-chain security and updating the README with a badge.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecard.yml:
- Line 17: The branches entry uses a flow sequence with spaced brackets
(`branches: [ "dev" ]`) which triggers YAMLlint's brackets rule; update the
`branches` value to a block sequence (replace the bracketed flow form under the
`branches` key with a dash-style list containing the string "dev") so the YAML
is lint-clean and equivalent in meaning.
- Around line 15-17: The workflow's push trigger (branches: ["dev"]) is being
nullified by the job-level condition that requires github.ref_name to equal the
repo default or the event to be manual/pull_request; either align the condition
with the declared trigger or align the trigger with the condition. Fix by
updating the job guard to allow github.ref_name == 'dev' (or the actual branch
name used in branches: ["dev"]) and/or add a pull_request trigger to the
workflow if you intend to run on PRs, or change branches: to the default branch
name so the existing github.ref_name check remains valid; look for the push
trigger, branches: ["dev"] and the job condition referencing github.ref_name and
github.event_name to make the change.

In `@README.md`:
- Line 48: Replace the placeholder "{owner}/{repo}" in the Scorecard badge URL
and the link target with this repository's actual owner and repository name so
both the image source and the link point to the correct repo; search for the
string "{owner}/{repo}" in the README line containing the badge and substitute
it with the actual "OWNER/REPO" values used by this project so the badge and
scorecard link resolve correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f2d92c02-14c9-437f-b53d-a530e48e902e

📥 Commits

Reviewing files that changed from the base of the PR and between 6ef9363 and aab8a0b.

📒 Files selected for processing (2)

• .github/workflows/scorecard.yml
• README.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/scorecard.yml (1)

15-17: ⚠️ Potential issue | 🟠 Major

Job guard currently conflicts with declared triggers and can skip valid runs.

Line 17 configures push on dev, but Line 30 gates execution on default_branch == ref_name; if default branch is not dev, push runs are skipped. Also, Line 32 checks pull_request even though no pull_request trigger exists.

🔧 Proposed fix (align job guard with actual triggers)

     if: |
       !github.event.repository.fork &&
-      (github.event.repository.default_branch == github.ref_name ||
-       github.event_name == 'workflow_dispatch' ||
-       github.event_name == 'pull_request')
+      (github.event_name == 'workflow_dispatch' ||
+       github.event_name == 'push' ||
+       github.event_name == 'schedule' ||
+       github.event_name == 'branch_protection_rule')

Also applies to: 28-32

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 15 - 17, The workflow's job
guard conflicts with its triggers: the push trigger lists branches: ["dev"] but
the job guard uses default_branch == ref_name and also checks pull_request even
though no pull_request trigger exists; update the guard to match the declared
triggers by either (A) set the push branches to the repository default branch
name used by default_branch, or (B) modify the job-level if condition to detect
the actual push ref (e.g. compare github.ref or ref_name to the literal
refs/heads/dev used in branches) and remove the unnecessary pull_request check;
reference the push branches setting, the job guard expression that uses
default_branch == ref_name, and the pull_request check when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecard.yml:
- Around line 100-101: Replace the floating tag on the GitHub Action reference
github/codeql-action/upload-sarif (currently using `@v4`) with the provided full
commit SHA to pin the action for supply-chain security; change the usage string
to use the commit SHA d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e so the workflow
is consistent with other pinned actions.

---

Duplicate comments:
In @.github/workflows/scorecard.yml:
- Around line 15-17: The workflow's job guard conflicts with its triggers: the
push trigger lists branches: ["dev"] but the job guard uses default_branch ==
ref_name and also checks pull_request even though no pull_request trigger
exists; update the guard to match the declared triggers by either (A) set the
push branches to the repository default branch name used by default_branch, or
(B) modify the job-level if condition to detect the actual push ref (e.g.
compare github.ref or ref_name to the literal refs/heads/dev used in branches)
and remove the unnecessary pull_request check; reference the push branches
setting, the job guard expression that uses default_branch == ref_name, and the
pull_request check when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7b1464bb-dd91-457a-96c3-1453522d3e72

📥 Commits

Reviewing files that changed from the base of the PR and between aab8a0b and f4baf4e.

📒 Files selected for processing (1)

• .github/workflows/scorecard.yml