Add the OpenSSF Scorecard GitHub Action
Feature or enhancement
Add the OpenSSF Scorecard GitHub Action, which performs dozens of automated checks to ensure the project's security posture is solid. The Scorecard is a form of project "meta analysis"; it doesn't detect vulnerabilities in your code, but instead makes sure your settings and security features are following the best practices to minimize the risk of vulnerabilities.
Pitch
Supply-chain attacks are on the rise. Given Python's self-evident importance to the FOSS ecosystem, the OpenSSF has declared CPython one of the most important open-source projects.
The OpenSSF has developed the Scorecard system and accompanying GitHub Action to validate a project's security posture and suggest actionable suggestions (added to the project's security dashboard). And indeed, Scorecards was how the need for #92999 was detected, for instance.
The Action runs on every push to main and lets maintainers know if there's a misstep that weakened the project's security.
Would you be interested in a PR to add this workflow?
If you have any questions, check out the Scorecards FAQ or just ask me!
Disclaimer
I work for Google (an OpenSSF founding member), working full-time to help open-source maintainers improve their projects' security.
