ci(scorecard): trigger after release completion, not every main push (#42)

- Adds workflow_run: on release completion → scorecard scans the
  fresh release artifacts right after they land, so Signed-Releases
  and Packaging checks see current state.
- Adds workflow_dispatch for manual re-scans.
- Removes push:branches:[main] — most commits don't change scorecard-
  visible state; scanning on every merge just burned runner time
  and published stale reports.
- Keeps the weekly Monday schedule as a backstop.

Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: aksOps

.github/workflows/scorecard.yml

@@ -1,11 +1,20 @@
 name: scorecard
 
+# Triggers:
+#   - workflow_run on completed 'release' runs   → scan fresh release assets
+#   - weekly schedule (Mondays, 06:00 UTC)       → backstop against drift
+#   - branch_protection_rule changes             → re-score when policy moves
+#   - manual workflow_dispatch                   → on-demand
+# Not on every main push — most commits don't change release/scorecard-visible
+# state, so we were burning runner time publishing stale results.
 on:
+  workflow_run:
+    workflows: [release]
+    types: [completed]
   branch_protection_rule:
   schedule:
     - cron: '0 6 * * 1'
-  push:
-    branches: [main]
+  workflow_dispatch:
 
 permissions: read-all