Publish OSSF Scorecard results

[jku]

https://github.com/ossf/scorecard

Would be nice to get these results visible. They have a GitHub Action that we could use.

The installation instructions say:

One Scorecards check (Branch-Protection) requires authentication using a Personal Access Token (PAT). If you want all Scorecards checks to run on a public repository, you will need to follow the optional Authentication step. If you don't, all checks will run except Branch-Protection.

The token is described as "read-only" but I don't understand why it would be read-only... maybe it is but I don't get how.

So:

• the github action would be nice
• the action should work without a token: I'm fine with skipping the branch-protection check

[spartan289]

hi i would like to work on this issue

[jku]

Hi, thanks!

As advice: I think the instructions in https://github.com/ossf/scorecard-action#workflow-setup might not work for you in this repository (the UI probably won't be there unless you are admin). Options:

• fork this repo and follow the above instructions in your repo, then make a PR of those changes to this repo
• just get the example from https://github.com/ossf/scorecard-action#manual-action-setup and fix at least the main branch name

[spartan289]

Yes i will do it.

[jku]

oh they have manual setup instructions too https://github.com/ossf/scorecard-action#manual-action-setup

[jku]

I think I'll try to enable this today.

(no slight on you spartan: it's just been 3 weeks since last comment, and I'd like to see the results of recetnt configuration changes)

[spartan289]

I tried, but it was always showing error

[jku]

I've added "ossf/scorecard-action@*" to allowed actions for this project -- based on @joshuagl review I figured there was consensus on this

[jku]

Now it works: https://github.com/theupdateframework/python-tuf/actions/runs/3525418144/jobs/5912109928

:+1: