ci: add security audtit and ossf scorecard

[lhoupert]

Summary

Adds OpenSSF Scorecard to this repo so we get an automated, public security posture check and results in GitHub Code scanning.

What changed

• New workflow .github/workflows/scorecard.yml: runs on pushes to main / dev and on a weekly schedule, uploads SARIF to Code scanning, and publishes results with publish_results: true.
• README badge: links to the public score for this repo on scorecard.dev.

Useful links

Resource	Description
OpenSSF Scorecard	What Scorecard measures (checks like branch protection, dependency updates, etc.)
ossf/scorecard action (Marketplace)	The GitHub Action this workflow uses
Scorecard viewer / API badge	Public score and badge URLs after the first successful run
GitHub: About code scanning	Where SARIF results show up in the repo
Scorecard check documentation	Plain-language explanation of each check

After merge

1. Open Actions → Scorecard analysis and confirm a run succeeds.
2. Open Security → Code scanning for new Scorecard findings (if Code scanning is enabled for this repo).
3. Confirm the badge on the README updates after data is published (can take a short time after the first run).

---

[github-actions]

⚠️ Performance Alert ⚠️

Possible performance regression was detected for benchmark 'TiTiler performance Benchmarks'.
Benchmark result of this commit is worse than the previous benchmark result exceeding threshold 1.30.

Benchmark suite	Current: c9e7007	Previous: 319ab8b	Ratio
WGS1984Quad longest_transaction	0.06 s	0.04 s	1.50

This comment was automatically generated by workflow using github-action-benchmark.