common: Add OpenSSF Scorecard gating workflow

[cgwalters]

Adds a stub workflow that calls bootc-dev/actions/openssf-scorecard to gate PRs on scorecard regressions.

Also adds scorecard to devenv images for local development, and a renovate custom manager for VERSION= patterns in YAML files.

Requires: bootc-dev/actions#2

Assisted-by: OpenCode (Claude Sonnet 4)

[gemini-code-assist]

Summary of Changes

Hello @cgwalters, I'm Gemini Code Assist¹! I'm currently reviewing this pull request and will post my feedback shortly. In the meantime, here's a summary to help you and other reviewers quickly get up to speed!

This pull request significantly enhances the project's security posture by implementing a new GitHub Actions workflow that actively gates pull requests based on OpenSSF Scorecard regressions. This change moves from a reactive analysis approach to a proactive prevention strategy. Additionally, it integrates the OpenSSF Scorecard tool directly into the development container images, allowing developers to utilize it locally. The PR also improves dependency management by extending Renovate's capabilities to recognize and update version declarations in YAML files.

Highlights

• OpenSSF Scorecard Gating Workflow: Introduced a new GitHub Actions workflow (openssf-scorecard-gate.yml) that runs on pull requests to prevent regressions in OpenSSF Scorecard ratings before merging to the main branch.
• Removed Old Scorecard Workflow: The previous openssf-scorecard.yml workflow, which performed analysis on push events, has been removed, shifting from passive analysis to active PR gating.
• Local Development Environment Integration: The OpenSSF Scorecard tool has been added to both devenv/Containerfile.c10s and devenv/Containerfile.debian, making it available for local development and testing.
• Renovate Custom Manager for Versioning: A new Renovate custom manager was added to renovate-shared-config.json to enable automatic updates for dependencies specified using VERSION= patterns within YAML files, particularly useful for GitHub Actions.

🧠 New Feature in Public Preview: You can now enable Memory to help Gemini Code Assist learn from your team's feedback. This makes future code reviews more consistent and personalized to your project's style. Click here to enable Memory in your admin console.

Using Gemini Code Assist

The full guide for Gemini Code Assist can be found on our documentation page, here are some quick tips.

Invoking Gemini

You can request assistance from Gemini at any point by creating a comment using either /gemini <command> or @gemini-code-assist <command>. Below is a summary of the supported commands on the current page.

Feature	Command	Description
Code Review	/gemini review	Performs a code review for the current pull request in its current state.
Pull Request Summary	/gemini summary	Provides a summary of the current pull request in its current state.
Comment	@gemini-code-assist	Responds in comments when explicitly tagged, both in pull request comments and review comments.
Help	/gemini help	Displays a list of available commands.

Customization

To customize Gemini Code Assist for GitHub experience, repository maintainers can create a configuration file and/or provide a custom code review style guide (such as PEP-8 for Python) by creating and adding files to a .gemini/ folder in the base of the repository. Detailed instructions can be found here.

Limitations & Feedback

Gemini Code Assist may make mistakes. Please leave feedback on any instances where its feedback is incorrect or counter productive. You can react with 👍 and 👎 on @gemini-code-assist comments. If you're interested in giving your feedback about your experience with Gemini Code Assist for Github and other Google products, sign up here.

You can also get AI-powered code generation, chat, as well as code reviews directly in the IDE at no cost with the Gemini Code Assist IDE Extension.

Footnotes

1. Review the Privacy Notices, Generative AI Prohibited Use Policy, Terms of Service, and learn how to configure Gemini Code Assist in GitHub here. Gemini can make mistakes, so double check it and use code with caution. ↩

[gemini-code-assist]

Code Review

This pull request introduces an OpenSSF Scorecard gating workflow and integrates the scorecard tool into development environment containers, aiming to enhance security standards. However, a security audit identified several vulnerabilities. A medium-severity issue exists in the new GitHub workflow, which uses a mutable branch reference for an action, posing a risk of executing untrusted code. Furthermore, two high-severity command injection vulnerabilities were found in the Containerfile for both c10s and debian, caused by unquoted build arguments that could allow arbitrary code execution. To improve robustness, it's also recommended to pin GitHub Actions to specific versions and add checksum verification for downloaded binaries.