Add the GitHub Action for Scorecard analysis

Author: sethmlarson

.github/workflows/scorecards.yml

@@ -0,0 +1,33 @@
+name: "Scorecard"
+
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: "0 0 * * 5"
+  push:
+    branches: ["main"]
+
+permissions: "read-all"
+
+jobs:
+  analyze:
+    name: Scorecards analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+
+    steps:
+    - name: "Checkout repository"
+      uses: actions/checkout@a12a3943b4bdde767164f792f33f40b04645d846
+      with:
+        persist-credentials: false
+
+    - name: "Run analysis"
+      uses: ossf/scorecard-action@3e15ea8318eee9b333819ec77a36aca8d39df13e
+      with:
+        results_file: results.sarif
+        results_format: sarif
+        publish_results: true