Improve supply chain security

[alpe]

• [ ] use Harden Runner in all GH workflows
• [ ] use hashes instead of versions in GH workflows
• [ ] add OpenSSF Scorecard GH workflow to identify issues
• [ ] use cosigner to sign docker image via GH action
• [ ] use dependency-review GH action
• [ ] add security.md with contact details

I found some nice examples in https://github.com/sozercan/aikit/tree/main/.github/workflows

Not related to supply chain security but code quality

• [ ] add codeql GH action
• [ ] add linter GH action
• [ ] add gosec

[samos123]

I'm all for security improvements, but at the same need to ensure that:

• doesn't make it more painful to do releases and development on the project
• doesn't hurt the UX
• doesn't significantly increase complexity

I think all of your tasks make sense, except Harden Runner might make adding and updating GH workflows a bit more painful, but at the same time it does seem good to prevent malicious PRs as well.