Feature: add scorecard to your project

[laurentsimon]

I ran the OpenSSF's scorecard on this project and found that branch protection and code reviews are not enforced.

I chatted with @josepalafox and he suggested I create this issue to start a discussion.

Given the popularity of this project and its sensitivity (access to build pipeline, etc), it would be beneficial to install scorecard as suggested in the workflow hardening guideline.

/cc @nebuk89

[laurentsimon]

/cc @isarkis @sethvargo

[mumoshu]

@laurentsimon Thanks for bringing this up. I just ran docker run -e GITHUB_AUTH_TOKEN=$OPENSSF_SCORECARD_GITHUB_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/actions-runner-controller/actions-runner-controller to see what it finds. Currently, it reports Aggregate score: 5.8 / 10. My goal is to make it close enough to 10. You can expect me to submit a few PRs to address each finding!

[mumoshu]

We've managed to score 8.2 out of 10 now.

``` RESULTS ------- Aggregate score: 8.2 / 10 Check scores: |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | SCORE | NAME | REASON | DETAILS | DOCUMENTATION/REMEDIATION | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 10 / 10 | Binary-Artifacts | no binaries found in the repo | | https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#binary-artifacts | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 8 / 10 | Branch-Protection | branch protection is not | Info: 'force pushes' disabled | https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#branch-protection | | | | maximal on development and all | on branch 'master' Info: | | | | | release branches | 'allow deletion' disabled on | | | | | | branch 'master' Info: settings | | | | | | apply to administrators on | | | | | | branch 'master' Info: status | | | | | | checks require up-to-date | | | | | | branches for 'master' Info: | | | | | | status check found to merge | | | | | | onto on branch 'master' Warn: | | | | | | number of required reviewers | | | | | | is only 1 on branch 'master' | | | | | | Info: Stale review dismissal | | | | | | enabled on branch 'master' | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 9 / 10 | CI-Tests | 29 out of 30 merged PRs | | https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#ci-tests | | | | checked by a CI test -- score | | | | | | normalized to 9 | | | |---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------| | 5 / 10 | CII-Best-Practices | badge detected: passing | | https://github.com/ossf/scorecard/blob/ ```

I think it's the best we can do today. Please raise another issue if you have more ideas. Thanks!