Context
This repo is a public, infra-sensitive surface that publishes container images consumed by other org repos. It has no OpenSSF Scorecard workflow today, so there is no rolling, machine-readable posture score for branch protection, signed releases, pinned actions, token permissions, etc.
Scope
- Add
.github/workflows/scorecard.yml based on ossf/scorecard-action.
- Run weekly + on push to
main, with id-token: write and security-events: write.
- Upload SARIF results to the Security tab.
- Publish results to the public scorecard dataset (
publish_results: true) since the repo is public.
- Add the Scorecard badge to
README.md.
- Run on
ubuntu-latest only; do not make it a required check (preserve CI Gate as the only required status check per CLAUDE.md).
Acceptance Criteria
- Scorecard findings appear in the Security tab.
- README shows a live Scorecard badge.
- Workflow does not introduce a new required PR check.
- Any failing Scorecard control with an easy fix (e.g. pinned actions, token permissions) is either fixed in the same PR or filed as a follow-up issue.
Context
This repo is a public, infra-sensitive surface that publishes container images consumed by other org repos. It has no OpenSSF Scorecard workflow today, so there is no rolling, machine-readable posture score for branch protection, signed releases, pinned actions, token permissions, etc.
Scope
.github/workflows/scorecard.ymlbased onossf/scorecard-action.main, withid-token: writeandsecurity-events: write.publish_results: true) since the repo is public.README.md.ubuntu-latestonly; do not make it a required check (preserveCI Gateas the only required status check perCLAUDE.md).Acceptance Criteria