docs(ci): add Codecov & OpenSSF Scorecard integration

.github/workflows/codecov.yml

@@ -0,0 +1,35 @@
+name: Codecov
+
+on:
+  workflow_run:
+    workflows: [CI]
+    types: [completed]
+    branches: [main, develop]
+
+concurrency:
+  group: codecov-${{ github.event.workflow_run.id }}
+  cancel-in-progress: true
+
+jobs:
+  upload-coverage:
+    if: github.event.workflow_run.conclusion == 'success'
+    runs-on: ubuntu-latest
+    permissions:
+      contents: read
+      actions: read
+
+    steps:
+      - name: Download coverage artifact
+        uses: actions/download-artifact@v4
+        with:
+          name: coverage-reports-20.x
+          run-id: ${{ github.event.workflow_run.id }}
+          github-token: ${{ github.token }}
+
+      - name: Upload to Codecov
+        uses: codecov/codecov-action@v5
+        with:
+          token: ${{ secrets.CODECOV_TOKEN }}
+          files: packages/api/coverage/lcov.info
+          fail_ci_if_error: false
+        continue-on-error: true

.github/workflows/scorecard.yml

@@ -0,0 +1,42 @@
+name: OpenSSF Scorecard
+on:
+  schedule:
+    - cron: "30 2 * * 1" # Run every Monday at 2:30 AM
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard Analysis
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: "Checkout code"
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v4.2.2
+        with:
+          persist-credentials: false
+
+      - name: "Run analysis"
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: "Upload artifact"
+        uses: actions/upload-artifact@4cec3d8aa04e39d1a68397de0c4cd6fb9dce8ec1 # v4.6.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: "Upload to code-scanning"
+        uses: github/codeql-action/upload-sarif@b20883b0cd1f46c72ae0ba6d1090936928f9fa30 # v3.26.10
+        with:
+          sarif_file: results.sarif

README.md

@@ -2,6 +2,8 @@
 
 > **Status**: Pre-launch development (Expected launch: March 2026)
 
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/oak-network/sdk/badge)](https://scorecard.dev/viewer/?uri=github.com/oak-network/sdk) [![Codecov](https://codecov.io/github/oak-network/sdk/graph/badge.svg)](https://app.codecov.io/github/oak-network/sdk) [![CodeQL](https://img.shields.io/github/actions/workflow/status/oak-network/sdk/codeql.yml?label=CodeQL&logo=github)](https://github.com/oak-network/sdk/actions/workflows/codeql.yml)
+
 TypeScript SDK for the Oak Network Crowdsplit API. Build secure payment applications with type-safe interfaces, comprehensive error handling, and OAuth 2.0 authentication.
 
 ---
@@ -547,6 +549,10 @@ CLIENT_SECRET=your_sandbox_client_secret
 OAK_ENVIRONMENT=sandbox
 ```
 
+### Code coverage
+
+Coverage is reported to [Codecov](https://about.codecov.io) after each successful CI run. The Codecov workflow runs separately with minimal permissions and uploads coverage from the API package. For uploads on pushes and pull requests from this repository, a `CODECOV_TOKEN` secret (from your organization or Codecov dashboard) may be required; when the token is not set, the upload step is skipped and the workflow still succeeds.
+
 ---
 
 ## 📖 Documentation