ossf/scorecard v5.5.0 on GitHub

What's Changed

The official Scorecard docker images are hosted on GitHub Container Registry starting with v5.5.0.
Older releases will be brought over from Google Container/Artifact Registry, before being discontinued.(@spencerschrock in #4885)
Scorecard will now skip checks that don't apply to the current repo type by @JamieMagee in #5000.
If any checks no longer run that previously ran, and you think are supported by the underlying forge please file an issue.

🌱 Use rulesets if one exists when classic branch protection rule is inaccessible by @trask in #4853

✨ Support custom CII_Best_Practices_URL via environment variable. by @kash2104 in #4882

🐛 detect toJSON(github.event) in Dangerous-Workflow check by @heathdutton in #4898

🐛 Skip CODEOWNERS file in contributors check if there is a parsing error by @juanis2112 in #4851

📖 Add Security Insights file and update maintainer affiliation by @justaugustus in #4863
📖 doc: add CDN design to repository by @spencerschrock in #4932
📖 Scorecard v6: OSPS Baseline conformance proposal and 2026 roadmap by @justaugustus in #4952

🌱 cron: remove error wrapping workaround by @alexandear in #4864
🌱 deps: switch from gopkg.in/yaml.vX to go.yaml.in/yaml/vX by @scop in #4895
🌱 ci: use smaller repo for gitlab e2e tests to avoid timeouts by @spencerschrock in #4924
🌱 Bump go-github to v82 by @Kielek in #4923
🌱 ci: remove all e2e test references to gitlab.com/gitlab-org/gitlab by @spencerschrock in #4927
🌱 cron: Add ability to purge cached results from a CDN by @spencerschrock in #4928
🌱 cron: enable CDN purging in prod weekly scans by @spencerschrock in #4931
🌱 Set OSV User-Agent for scorecard cli and cron workers. by @kash2104 in #4883
🌱 Fix PR verifier by replacing deprecated Docker action by @justaugustus in #4972
🌱 e2e: add Azure DevOps tests by @JamieMagee in #4993
🌱 Fix PR template formatting by @martincostello in #5003
🌱 Add Jamie Magee as a maintainer for Azure DevOps by @JamieMagee in #5024

Full Changelog: v5.4.0...v5.5.0