Add Scorecard workflow for supply-chain security and update README wi…

[kpj2006]

…th Scorecard badge

Addressed Issues:

Fixes #(issue number)

Screenshots/Recordings:

Additional Notes:

Checklist

• My code follows the project's code style and conventions
• I have made corresponding changes to the documentation
• My changes generate no new warnings or errors
• I have joined the Discord server and I will share a link to this PR with the project maintainers there
• I have read the Contributing Guidelines

⚠️ AI Notice - Important!

We encourage contributors to use AI tools responsibly when creating Pull Requests. While AI can be a valuable aid, it is essential to ensure that your contributions meet the task requirements, build successfully, include relevant tests, and pass all linters. Submissions that do not meet these standards may be closed without warning to maintain the quality and integrity of the project. Please take the time to understand the changes you are proposing and their impact.

Summary by CodeRabbit

• Chores

  • Added an OpenSSF Scorecard supply-chain security workflow to run scheduled, branch and manual analyses, publish results, and upload artifacts.

• Documentation

  • Added an OpenSSF Scorecard badge to the README banner.

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 5abf02fc-e3c4-43fc-bda8-20f12f614e7c

📥 Commits

Reviewing files that changed from the base of the PR and between f4baf4e and 5daf84b.

📒 Files selected for processing (1)

• README.md

---

Walkthrough

Adds a GitHub Actions workflow for OpenSSF Scorecard and inserts an OpenSSF Scorecard badge into the README.

Changes

Security Workflow

Layer / File(s)

Summary

Scorecard workflow .github/workflows/scorecard.yml

Adds Scorecard supply-chain security workflow with an analysis job that hardens the runner, checks out the repo without persisted creds, runs ossf/scorecard-action to produce results.sarif, publishes results to api.scorecard.dev, uploads SARIF as a 5-day artifact, and uploads SARIF to GitHub code scanning. Triggers: branch_protection_rule, weekly schedule (cron 23 8 * * 6), push to dev, workflow_dispatch. Job-level perms: security-events: write, id-token: write.

Documentation

Layer / File(s)	Summary
Insert Scorecard badge README.md	Inserts an OpenSSF Scorecard badge link into the README's top social/banner row immediately after the existing YouTube badge (uses {owner}/{repo} placeholders).

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Suggested labels

Documentation

Suggested reviewers

• Zahnentferner

Poem

🐰 A hop, a scan, a shiny badge,
I guard the chain from shelf to badge,
SARIF stored neat in artifact lairs,
A little hop to show we care,
Hooray — secure with cheerful flares!

🚥 Pre-merge checks | ✅ 4

✅ Passed checks (4 passed)

Check name	Status	Explanation
Description Check	✅ Passed	Check skipped - CodeRabbit’s high-level summary is enabled.
Title check	✅ Passed	The title accurately summarizes the main changes: adding a Scorecard workflow for supply-chain security and updating the README with a badge.
Linked Issues check	✅ Passed	Check skipped because no linked issues were found for this pull request.
Out of Scope Changes check	✅ Passed	Check skipped because no linked issues were found for this pull request.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests

Tip

💬 Introducing Slack Agent: The best way for teams to turn conversations into code.

Slack Agent is built on CodeRabbit's deep understanding of your code, so your team can collaborate across the entire SDLC without losing context.

• Generate code and open pull requests
• Plan features and break down work
• Investigate incidents and troubleshoot customer tickets together
• Automate recurring tasks and respond to alerts with triggers
• Summarize progress and report instantly

Built for teams:

• Shared memory across your entire org—no repeating context
• Per-thread sandboxes to safely plan and execute work
• Governance built-in—scoped access, auditability, and budget controls

One agent for your entire SDLC. Right inside Slack.

👉 Get started

---

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

• X
• Mastodon
• Reddit
• LinkedIn

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 3

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecard.yml:
- Line 17: The branches entry uses a flow sequence with spaced brackets
(`branches: [ "dev" ]`) which triggers YAMLlint's brackets rule; update the
`branches` value to a block sequence (replace the bracketed flow form under the
`branches` key with a dash-style list containing the string "dev") so the YAML
is lint-clean and equivalent in meaning.
- Around line 15-17: The workflow's push trigger (branches: ["dev"]) is being
nullified by the job-level condition that requires github.ref_name to equal the
repo default or the event to be manual/pull_request; either align the condition
with the declared trigger or align the trigger with the condition. Fix by
updating the job guard to allow github.ref_name == 'dev' (or the actual branch
name used in branches: ["dev"]) and/or add a pull_request trigger to the
workflow if you intend to run on PRs, or change branches: to the default branch
name so the existing github.ref_name check remains valid; look for the push
trigger, branches: ["dev"] and the job condition referencing github.ref_name and
github.event_name to make the change.

In `@README.md`:
- Line 48: Replace the placeholder "{owner}/{repo}" in the Scorecard badge URL
and the link target with this repository's actual owner and repository name so
both the image source and the link point to the correct repo; search for the
string "{owner}/{repo}" in the README line containing the badge and substitute
it with the actual "OWNER/REPO" values used by this project so the badge and
scorecard link resolve correctly.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: f2d92c02-14c9-437f-b53d-a530e48e902e

📥 Commits

Reviewing files that changed from the base of the PR and between 6ef9363 and aab8a0b.

📒 Files selected for processing (2)

• .github/workflows/scorecard.yml
• README.md

[coderabbitai]

Actionable comments posted: 1

♻️ Duplicate comments (1)

.github/workflows/scorecard.yml (1)

15-17: ⚠️ Potential issue | 🟠 Major

Job guard currently conflicts with declared triggers and can skip valid runs.

Line 17 configures push on dev, but Line 30 gates execution on default_branch == ref_name; if default branch is not dev, push runs are skipped. Also, Line 32 checks pull_request even though no pull_request trigger exists.

🔧 Proposed fix (align job guard with actual triggers)

     if: |
       !github.event.repository.fork &&
-      (github.event.repository.default_branch == github.ref_name ||
-       github.event_name == 'workflow_dispatch' ||
-       github.event_name == 'pull_request')
+      (github.event_name == 'workflow_dispatch' ||
+       github.event_name == 'push' ||
+       github.event_name == 'schedule' ||
+       github.event_name == 'branch_protection_rule')

Also applies to: 28-32

🤖 Prompt for AI Agents

Verify each finding against the current code and only fix it if needed.

In @.github/workflows/scorecard.yml around lines 15 - 17, The workflow's job
guard conflicts with its triggers: the push trigger lists branches: ["dev"] but
the job guard uses default_branch == ref_name and also checks pull_request even
though no pull_request trigger exists; update the guard to match the declared
triggers by either (A) set the push branches to the repository default branch
name used by default_branch, or (B) modify the job-level if condition to detect
the actual push ref (e.g. compare github.ref or ref_name to the literal
refs/heads/dev used in branches) and remove the unnecessary pull_request check;
reference the push branches setting, the job guard expression that uses
default_branch == ref_name, and the pull_request check when making the change.

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/scorecard.yml:
- Around line 100-101: Replace the floating tag on the GitHub Action reference
github/codeql-action/upload-sarif (currently using `@v4`) with the provided full
commit SHA to pin the action for supply-chain security; change the usage string
to use the commit SHA d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e so the workflow
is consistent with other pinned actions.

---

Duplicate comments:
In @.github/workflows/scorecard.yml:
- Around line 15-17: The workflow's job guard conflicts with its triggers: the
push trigger lists branches: ["dev"] but the job guard uses default_branch ==
ref_name and also checks pull_request even though no pull_request trigger
exists; update the guard to match the declared triggers by either (A) set the
push branches to the repository default branch name used by default_branch, or
(B) modify the job-level if condition to detect the actual push ref (e.g.
compare github.ref or ref_name to the literal refs/heads/dev used in branches)
and remove the unnecessary pull_request check; reference the push branches
setting, the job guard expression that uses default_branch == ref_name, and the
pull_request check when making the change.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 7b1464bb-dd91-457a-96c3-1453522d3e72

📥 Commits

Reviewing files that changed from the base of the PR and between aab8a0b and f4baf4e.

📒 Files selected for processing (1)

• .github/workflows/scorecard.yml

[github-actions]

Hello 👋 This PR has had no activity for more than 2 weeks. If you are still working on it, please push an update or leave a comment. Ping a maintainer if you believe it is ready for review or merge! This PR will be automatically closed in 7 days if there is no further activity.

[github-actions]

Hello 👋 This PR has had no activity for more than 2 weeks. If you are still working on it, please push an update or leave a comment. Ping a maintainer if you believe it is ready for review or merge! This PR will be automatically closed in 7 days if there is no further activity.

[github-actions]

⚠️ This PR has merge conflicts.

Please resolve the merge conflicts before review.

Your PR will only be reviewed by a maintainer after all conflicts have been resolved.

📺 Watch this video to understand why conflicts occur and how to resolve them:
https://www.youtube.com/watch?v=Sqsz1-o7nXk

[github-actions]

	Messages
📖	⚠️ PR Template Check These are non-blocking, but please fix: Please replace the placeholder Fixes #(issue number) with the actual issue number (e.g. Fixes #42). Some required checklist items are not completed: My PR addresses a single issue

Generated by 🚫 dangerJS against 5daf84b