ops: add OpenSSF Scorecard workflow

[amavashev]

Adds OpenSSF Scorecard supply-chain security analysis. Same workflow already merged in runcycles/cycles-server#142.

Why this repo

`runcycles` on PyPI is the entry point for every Python user. Scorecard scoring this repo means downstream Python users get a third-party signal that supply-chain practices are audited.

What it scores

~17 practices on a 0–10 scale: branch protection, signed commits, dependency review, pinned dependencies, token permissions, vulnerability disclosure, fuzzing, SAST, dangerous workflow patterns. Full list: https://github.com/ossf/scorecard/blob/main/docs/checks.md

Runs

• On push to main (immediate first score after merge)
• On `branch_protection_rule` changes
• Weekly (Mon 06:00 UTC)

Where results land

1. Security tab (SARIF upload)
2. Public scorecard at https://scorecard.dev/viewer/?uri=github.com/runcycles/cycles-client-python (24h after first run)
3. Auto-updating badge: `https://api.scorecard.dev/projects/github.com/runcycles/cycles-client-python/badge\`

Notes

• Action SHAs pinned per Scorecard's pinned-dependencies criterion
• `publish_results: true` requires public repo (it is)
• Workflow must live on default branch — this PR puts it there

Test plan

• Merge → verify workflow runs to green on post-merge push
• Check Security tab — SARIF visible
• Check scorecard.dev page after 24h
• First score ≥6 reasonable; ≥8 strong; <5 means immediate hardening warranted