Add ossf scorecard

[juju4]

You will need to create a personal access token as only apply to master/main and registration must be by project owner.
This support supply chain risk assessment and auditing.

See also
https://github.com/marketplace/actions/ossf-scorecard-action
https://github.com/ossf/scorecard#using-scorecards-1
https://securityscorecards.dev/

[achantavy]

Hi, what does this PR try to do? If it involves using a PAT then I don't think we will be able to merge it in.

[juju4]

Please read above links.
This is to give trust to users that there is limited supply chain risk.

PAT is up to maintainer to set as this can only apply to default branch.

Examples with badges from https://github.com/search?q=Scorecards+supply-chain+security&type=commits
https://github.com/PyCQA/pylint
https://github.com/pandora-analysis/pandora

Trust that this kind of news can be avoided
https://www.bleepingcomputer.com/news/security/pytorch-discloses-malicious-dependency-chain-compromise-over-holidays/

[chandanchowdhury]

The OSSF Scorecard is a nice to have.

This change basically is the changes following the setup steps
https://github.com/marketplace/actions/ossf-scorecard-action

We can get this MR merged and then update the image SHA256 to latest.

[chandanchowdhury]

Note: This CI job runs once a week against the main branch (not for every MR or branch)