Proposal: Improved experience for large-scale (multi-org, multi-repo) deployment of Scorecard

[lelia]

Is your feature request related to a problem? Please describe.

While Scorecard and the Scorecard Action are well-suited for small-scale deployments (e.g. a single repository or small group of repositories), larger organizations, enterprise administrators, and maintainers of numerous (perhaps hundreds of) repositories often struggle with deploying Scorecard at scale.

There have been individual efforts to tackle this, such as the CLI installer tool, the creation of a custom matrix strategy, and the employment of reusable workflows, but each of these have their own limitations, and don't solve the issue in a particularly elegant way.

Recently, there have been several calls for the introduction of a GitHub App to deploy Scorecard across an entire organization. There may be potential to provide similar large-scale support on GitLab via the use of Group Access Tokens.

I also raised this issue at the most recent Scorecard community meeting, and there was widespread agreement that deploying Scorecard at scale is an increasingly common use case that warrants formalized support.

Describe the solution you'd like

This should be used as the top-level tracking issue for any and all efforts related to improving the user experience for large-scale deployments of Scorecard.

Describe alternatives you've considered

As mentioned above, several alternatives currently exist, but they all present their own challenges due to a lack of centralized support in the main Scorecard project.

Additional context

Refs:

• Feature: Managed Github App per org instead of github action per repo #4333
• Running under a matrix strategy scorecard-action#1419 (comment)
• https://www.ellipsis.dev/blog/how-to-move-your-github-app-to-gitlab

cc: @jeffmendoza @justaugustus @spencerschrock