Add Scorecard Action

[diogoteles08]

Closes #1354

I also took the liberty of adding the Scorecard badge to your README. As I told you in the issue, Scorecard also has a Customer-faced side that helps customers evaluate the security posture of packages they want to use. The badge is a great way to show off your hard work!
(as much as it can look like a "not so good" score, a 6.7 score is a great score! It puts mozilla/rhino among the top 10% of relevant projects 😄)

Anyway, If you'd rather not add the badge or put it somewhere else, let me know and I can work on that as well

Cheers

[p-bakker]

Thnx for the PR. Prefer to not have the change to the readme included, as the readme is ready for an overhaul as it is and rather include it when we do that overhaul

[p-bakker]

@diogoteles08 any thoughts as to why Packaging and Branch Protection haven't gotten a score?

Have added one follow-up case to improve the score: #1404

[p-bakker]

And #1405

[diogoteles08]

@diogoteles08 any thoughts as to why Packaging and Branch Protection haven't gotten a score?

Sure!

Concerning Packaging: That unfortunately is a current limitation of Scorecard, as it's only scoring Packaging when it can detect that a repository is automatically publishing GitHub Releases through a GitHub Action. Possible enhancements on this check are covered on ossf/scorecard#688

Concerning Branch Protection: This happens because the score you're seeing is actually from a service run periodically on relevant OSS projects, but the results are limited due to GitHub API permissions. This check will be covered as soon as we merge this PR (as the action will run and automatically update the values on the viewer), or if you run Scorecard CLI. A clarification on the viewer that would clarify your doubt is proposed on ossf/scorecard-webapp#427.

Additionally, I'd add that even after adopting the action, the Branch Protection check will only be able to recognize some the rules adopted, also because of lack of permissions. This specific check will run 100% if you:

• Add a specific PAT token to Scorecard with read permissions
• Define your branch protection rules using the new Github Feature called Repo Rules, which makes branch protection rules public by default.
  You can find more info around this here

Now about the issue/PR you have raised to solve other Scorecard recommendation, way to go! 😃 Happy to see your engagement and wishing those improvements land well ^^
I might drop some comments and suggestions on them in a bit.

[p-bakker]

@gbrail @rbri this LGTM, so from my perspective this can be merged

[gbrail]

Thanks for doing this -- I would indeed like to include this stuff in the README sooner or later but we can do that when the time comes.

[gbrail]

Sadly this doesn't run because the mozilla organization doesn't recognize "ossf" as a source of trusted GitHub Actions. I need to track down a Mozilla GitHub admin (good luck on that) and see if I can figure it out.

[p-bakker]

Or we take this as an incentive to move the rhino repo to the new rhino org 😎

[diogoteles08]

Sadly this doesn't run because the mozilla organization doesn't recognize "ossf" as a source of trusted GitHub Actions. I need to track down a Mozilla GitHub admin (good luck on that) and see if I can figure it out.

Oh that's unfortunate, hope you can track down the admin for that. Please let me know if I can be of any more help