ci: add scorecard, stale, dependency-review, funding workflows

.github/FUNDING.yml

@@ -0,0 +1,6 @@
+# Funding
+# Add sponsors / donation targets to this file.
+# See https://docs.github.com/en/repositories/managing-your-repositorys-settings-and-features/customizing-your-repository/displaying-a-sponsor-button-in-your-repository
+# Supported: github, patreon, open_collective, ko_fi, tidelift, community_bridge, liberapay, issuehunt, buy_me_a_coffee, thanks_dev, polar, custom
+github: badhope
+buy_me_a_coffee: badhope

.github/workflows/dependency-review.yml

@@ -0,0 +1,30 @@
+name: Dependency Review
+
+on:
+  pull_request:
+    branches: [main, master]
+
+permissions:
+  contents: read
+  pull-requests: write
+
+jobs:
+  review:
+    name: Dependency review
+    runs-on: ubuntu-latest
+    timeout-minutes: 10
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+
+      - name: Dependency Review
+        uses: actions/dependency-review-action@595ce4cd8b5399062ddf67f3a81c54cfa1448b86 # v4.7.2
+        with:
+          fail-on-severity: high
+          comment-summary-in-pr: always
+          deny-licenses: GPL-3.0, AGPL-3.0

.github/workflows/scorecard.yml

@@ -0,0 +1,46 @@
+name: OSSF Scorecard
+
+on:
+  # Scheduled weekly + on push to main for up-to-date score
+  schedule:
+    - cron: "17 6 * * 1"
+  push:
+    branches: [main, master]
+  workflow_dispatch:
+
+# Scorecard only needs read access; result upload needs id-token: write.
+permissions:
+  contents: read
+  id-token: write
+  actions: read
+  security-events: write
+
+jobs:
+  analysis:
+    name: Scorecard
+    runs-on: ubuntu-latest
+    timeout-minutes: 30
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Checkout
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11 # v4.1.1
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@62b8690c4ac1bd3bfcd44d70de4d3a5952f016a3 # v2.4.0
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload to code-scanning
+        if: always()
+        uses: github/codeql-action/upload-sarif@4e828ff8d448a8a6e532957b1811f387a63867b2 # v3.27.5
+        with:
+          sarif_file: results.sarif
+          category: scorecard

.github/workflows/stale.yml

@@ -0,0 +1,37 @@
+name: Stale
+
+on:
+  schedule:
+    - cron: "23 4 * * *"
+  workflow_dispatch:
+  issues:
+    types: [opened, labeled, reopened]
+
+permissions:
+  issues: write
+  pull-requests: write
+
+jobs:
+  stale:
+    name: Mark / close stale
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    steps:
+      - name: Harden Runner
+        uses: step-security/harden-runner@20cf305ff2072d973412fa9b1e3a4f227bda3c76 # v2.14.0
+        with:
+          egress-policy: audit
+
+      - name: Run stale
+        uses: actions/stale@5c658c458affa5e0b5e7b18c31291a4631a59c64 # v9.1.0
+        with:
+          repo-token: ${{ secrets.GITHUB_TOKEN }}
+          days-before-stale: 60
+          days-before-close: 14
+          stale-issue-label: stale
+          stale-pr-label: stale
+          exempt-issue-labels: pinned,security,good first issue
+          exempt-pr-labels: pinned,security
+          operations-per-run: 60
+          remove-stale-when-updated: true
+          only: issues