ci(scorecard): add OpenSSF Scorecard workflow + README badges (#16)

* ci(scorecard): add OpenSSF Scorecard workflow + README badges

Adds .github/workflows/scorecard.yml — runs the OpenSSF Scorecard
supply-chain check on push to main, weekly cron, and on
branch_protection_rule changes. Results land in two places:

  - GitHub code-scanning (/security/code-scanning) via SARIF upload
  - Public Scorecard registry (api.scorecard.dev) via OIDC publish so
    the README badge resolves to a live score

All third-party actions are pinned to commit SHAs:
  - actions/checkout@v4
  - ossf/scorecard-action@v2.4.3
  - actions/upload-artifact@v7.0.1
  - github/codeql-action/upload-sarif@v4.35.2

README: add the Scorecard badge to the badge row, plus an HTML
comment with the one-time steps to register the project at
bestpractices.dev and append the Best Practices badge once a
PROJECT_ID has been issued (the badge URL is invalid until the
project is registered, so it's documented inline rather than
shipped broken).

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

* ci(scorecard): scope permissions to contents:read at workflow level

Sonar githubactions:S8234 flagged 'permissions: read-all' as a
vulnerability. Job-level permissions already grant exactly what the
scorecard analyzer needs (security-events: write for SARIF upload,
id-token: write for OIDC publish, contents: read, actions: read);
the top-level grant is only a fallback for any future steps without
their own block, so contents:read is the right minimum.

---------

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

.github/workflows/scorecard.yml

@@ -0,0 +1,75 @@
+name: OpenSSF Scorecard
+
+# Runs the OpenSSF Scorecard supply-chain check on every push to main
+# and weekly. Results are uploaded to GitHub's code-scanning surface
+# (visible at /security/code-scanning) AND published to the public
+# Scorecard registry at api.scorecard.dev so the README badge shows
+# the live score.
+#
+# Required repo settings:
+# - Settings → Actions → General → Workflow permissions: at least
+#   "Read repository contents and packages permissions" (default).
+# - Settings → Code security → Code scanning: enabled (so SARIF
+#   uploads land somewhere).
+# - The workflow grants `id-token: write` so the action can mint an
+#   OIDC token signed by GitHub and use it as proof-of-identity when
+#   pushing results to the Scorecard API. No long-lived secret needed.
+
+on:
+  branch_protection_rule:
+  push:
+    branches: [main]
+  schedule:
+    # Weekly so the score reflects security-relevant changes (new
+    # deps, new releases, branch-protection edits) even when there's
+    # no push for a few days. Tuesdays 03:00 UTC keeps it off the
+    # busy weekday-morning window.
+    - cron: "0 3 * * 2"
+  workflow_dispatch:
+
+permissions:
+  contents: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    permissions:
+      # Required for upload-sarif → /security/code-scanning.
+      security-events: write
+      # Required for OIDC publish_results=true → api.scorecard.dev.
+      id-token: write
+      contents: read
+      actions: read
+    steps:
+      - name: Checkout
+        # actions/checkout@v4 = b4ffde65f46336ab88eb53be808477a3936bae11
+        uses: actions/checkout@b4ffde65f46336ab88eb53be808477a3936bae11
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        # ossf/scorecard-action@v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # publish_results=true sends the score to the public registry
+          # so the README badge resolves. It is also a public-good
+          # contribution — anyone evaluating ctm's supply-chain posture
+          # can read the breakdown without re-running the tool.
+          publish_results: true
+
+      - name: Upload artifact
+        # actions/upload-artifact@v7.0.1
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        # github/codeql-action/upload-sarif@v4.35.2
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225
+        with:
+          sarif_file: results.sarif

README.md

@@ -7,8 +7,30 @@
   <a href="https://goreportcard.com/report/github.com/RandomCodeSpace/ctm"><img src="https://goreportcard.com/badge/github.com/RandomCodeSpace/ctm" alt="Go Report Card"></a>
   <img src="https://img.shields.io/github/go-mod/go-version/RandomCodeSpace/ctm?color=00ADD8&label=go" alt="Go version">
   <a href="https://github.com/RandomCodeSpace/ctm/blob/main/LICENSE"><img src="https://img.shields.io/badge/license-MIT-green" alt="License MIT"></a>
+  <a href="https://scorecard.dev/viewer/?uri=github.com/RandomCodeSpace/ctm"><img src="https://api.scorecard.dev/projects/github.com/RandomCodeSpace/ctm/badge" alt="OpenSSF Scorecard"></a>
 </p>
 
+<!--
+OpenSSF Best Practices badge — one-time setup, then add the markup
+back into the badge row above:
+
+  1. Sign in with GitHub at https://www.bestpractices.dev/en/projects/new
+  2. Submit the project; the form assigns a numeric PROJECT_ID and
+     opens the criteria checklist (passing / silver / gold tiers).
+  3. Add the following to the <p align="center"> block above (replace
+     PROJECT_ID with the assigned number):
+
+        <a href="https://www.bestpractices.dev/projects/PROJECT_ID">
+          <img src="https://www.bestpractices.dev/projects/PROJECT_ID/badge"
+               alt="OpenSSF Best Practices">
+        </a>
+
+The badge auto-updates as criteria are checked off — no CI integration
+required (unlike the Scorecard badge, which is updated by the
+.github/workflows/scorecard.yml workflow on every push to main).
+-->
+
+
 <p align="center">
   <a href="#quickstart">Quickstart</a> ·
   <a href="#commands">Commands</a> ·