Feature: add scorecard to your project

[laurentsimon]

I ran the OpenSSF's scorecard on this project and found that branch protection and code reviews are not enforced.

I chatted with @josepalafox and he suggested I create this issue to start a discussion.

Given the popularity of this project and its sensitivity (access to build pipeline, etc), it would be beneficial to install scorecard as suggested in the workflow hardening guideline.

/cc @nebuk89

[laurentsimon]

/cc @isarkis @sethvargo

[mumoshu]

@laurentsimon Thanks for bringing this up. I just ran docker run -e GITHUB_AUTH_TOKEN=$OPENSSF_SCORECARD_GITHUB_TOKEN gcr.io/openssf/scorecard:stable --show-details --repo=https://github.com/actions-runner-controller/actions-runner-controller to see what it finds. Currently, it reports Aggregate score: 5.8 / 10. My goal is to make it close enough to 10. You can expect me to submit a few PRs to address each finding!

[mumoshu]

We've managed to score 8.2 out of 10 now.

RESULTS
-------
Aggregate score: 8.2 / 10

Check scores:
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
|  SCORE  |          NAME          |             REASON             |                                                  DETAILS                                                  |                                               DOCUMENTATION/REMEDIATION                                               |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 10 / 10 | Binary-Artifacts       | no binaries found in the repo  |                                                                                                           | https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#binary-artifacts       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 8 / 10  | Branch-Protection      | branch protection is not       | Info: 'force pushes' disabled                                                                             | https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#branch-protection      |
|         |                        | maximal on development and all | on branch 'master' Info:                                                                                  |                                                                                                                       |
|         |                        | release branches               | 'allow deletion' disabled on                                                                              |                                                                                                                       |
|         |                        |                                | branch 'master' Info: settings                                                                            |                                                                                                                       |
|         |                        |                                | apply to administrators on                                                                                |                                                                                                                       |
|         |                        |                                | branch 'master' Info: status                                                                              |                                                                                                                       |
|         |                        |                                | checks require up-to-date                                                                                 |                                                                                                                       |
|         |                        |                                | branches for 'master' Info:                                                                               |                                                                                                                       |
|         |                        |                                | status check found to merge                                                                               |                                                                                                                       |
|         |                        |                                | onto on branch 'master' Warn:                                                                             |                                                                                                                       |
|         |                        |                                | number of required reviewers                                                                              |                                                                                                                       |
|         |                        |                                | is only 1 on branch 'master'                                                                              |                                                                                                                       |
|         |                        |                                | Info: Stale review dismissal                                                                              |                                                                                                                       |
|         |                        |                                | enabled on branch 'master'                                                                                |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 9 / 10  | CI-Tests               | 29 out of 30 merged PRs        |                                                                                                           | https://github.com/ossf/scorecard/blob/5758364c82f7fc72b256f9a8cfc89dc550d7dd66/docs/checks.md#ci-tests               |
|         |                        | checked by a CI test -- score  |                                                                                                           |                                                                                                                       |
|         |                        | normalized to 9                |                                                                                                           |                                                                                                                       |
|---------|------------------------|--------------------------------|-----------------------------------------------------------------------------------------------------------|-----------------------------------------------------------------------------------------------------------------------|
| 5 / 10  | CII-Best-Practices     | badge detected: passing        |                                                                                                           | https://github.com/ossf/scorecard/blob/

I think it's the best we can do today.
Please raise another issue if you have more ideas.
Thanks!