[feat](ci) add OSSF Scorecard workflow for supply-chain security

[gaganhr94]

What problem does this PR solve?

Issue Number: close #60508

Related PR: #xxx

Problem Summary: The repository currently does not publish OpenSSF Scorecard results to the public Scorecard API (https://api.securityscorecards.dev/). As a result, users and downstream projects cannot easily discover or track the project’s security best-practice posture in a standardized, automated way. The absence of published results reduces visibility and makes it harder for consumers to assess the project using common tooling.

Release note

None

Check List (For Author)

• Test

  • Regression test
  • Unit Test
  • Manual test (add detailed scripts or steps below)
  • No need to test or manual test. Explain why:
    • This is a refactor/code format and no logic has been changed.
    • Previous test can cover this change.
    • No code files have been changed.
    • Other reason

• Behavior changed:

  • No.
  • Yes.

• Does this need documentation?

  • No.
  • Yes.

Check List (For Reviewer who merge this PR)

• Confirm the release note
• Confirm test cases
• Confirm document
• Add branch pick label

---

What problem was fixed

The repository currently does not publish OpenSSF Scorecard results to the public Scorecard API (https://api.securityscorecards.dev/). As a result, users and downstream projects cannot easily discover or track the project’s security best-practice posture in a standardized, automated way.

How it was fixed

This was addressed by adding an OpenSSF Scorecard GitHub Actions workflow that runs on scheduled intervals and on relevant branch updates. The workflow executes the Scorecard analysis, generates a SARIF report, and uploads the results to GitHub Code Scanning for visibility.

Which behaviors were modified

Previous behavior:
No automated push of OpenSSF scorecard to the scorecard API.

Current behavior:
Scorecard analysis runs automatically on a schedule and on selected branches.

Why this was modified:

The absence of published results reduces visibility and makes it harder for consumers to assess the project using common tooling. So the scorecard workflow was added so that the project can be scored on various security criterias, and helps the user confidently use the project.

Potential impact:

No impact on runtime behavior or production code. Improves overall project security posture and audit readiness.

What features were added

Automated OpenSSF Scorecard scanning via GitHub Actions.

[Thearas]

Thank you for your contribution to Apache Doris.
Don't know what should be done next? See How to process your PR.

Please clearly describe your PR:

1. What problem was fixed (it's best to include specific error reporting information). How it was fixed.
2. Which behaviors were modified. What was the previous behavior, what is it now, why was it modified, and what possible impacts might there be.
3. What features were added. Why was this function added?
4. Which code was refactored and why was this part of the code refactored?
5. Which functions were optimized and what is the difference before and after the optimization?

[gaganhr94]

@Thearas @hello-stephen Can you please review this PR when you get a chance. Thanks!