Phase 1 of a 'serious project' trust-signal pass. Three atomic CI/docs commits, no runtime behaviour change.
What landed
- OSSF Scorecard workflow (
.github/workflows/scorecard.yml): runsossf/scorecard-actionon every main push, weekly cron, and manual dispatch. Publishes to scorecard.dev so the README badge renders the live score. SARIF uploaded to the Security tab. Permissions scoped per-job; workflow default staysread-all. - CodeQL SAST workflow (
.github/workflows/codeql.yml): analyses python and javascript on every main push + PR + weekly cron. Uses thesecurity-extendedquery suite. Findings land in the Security tab. - README badges: CodeQL, OSSF Scorecard, Codecov. The CI workflow already uploaded coverage via
codecov/codecov-action@v3- the badge surfaces a number that was already being computed but invisible.
Out of scope (Phase 2)
SLSA Provenance Level 3 on the Docker images pushed by docker-multiplatform.yml. Deferred to its own PR.
Follow-ups for the Scorecard score
Initial score will likely sit around 6-7/10. Known gaps the workflow will flag:
- Pinned-Dependencies: action versions pinned to major tags (
@v4,@v3), not SHAs. Tightening to SHA is the biggest single uplift. - Branch-Protection:
mainhas no required reviews / required status checks at the repo level. - Token-Permissions: pre-existing workflows (
ci.yml,docker-multiplatform.yml) don't declarepermissions:blocks. New workflows in this PR do.
These are tracked separately and not blocking - the workflow lands first so we have a baseline measurement.
Closes #195.