Question on Implementing OpenSSF's Scorecard Github Action

[gregorywaynepower]

Feature description

I have sincerely enjoyed learning and using QGIS and making small contributions. I am not sure if this would fall under a QEP or not:

• Implementing Open SSF's Scorecard Github Action to this project.
• Posting the OpenSSF Best Practices Badge to the README.md

The reason I bring this up is due to me running OpenSSF's Scorecard CLI Tool against this repo--which I understand isn't the same as the current (3.34.2) release and the LTS (3.28.14) release and I wanted to make sure I wasn't being alarmist about the results I got. I'd enjoy making further contributions.

If y'all want to run it for yourselves of what the scorecard produces here's a command that will give you an at-a-glance output.

sudo docker run -e GITHUB_AUTH_TOKEN=GITHUB_AUTH_TOKEN_with_pub_repo_permissions_here gcr.io/openssf/scorecard:stable --repo=https://github.com/qgis/QGIS   

If you want to isolate a particular check you can use the --checks flag.

sudo docker run -e GITHUB_AUTH_TOKEN=GITHUB_AUTH_TOKEN_with_pub_repo_permissions_here gcr.io/openssf/scorecard:stable --repo=https://github.com/qgis/QGIS --checks=Vulnerabilities  

If you want particular insight on what a particular check means:

sudo docker run -e GITHUB_AUTH_TOKEN=GITHUB_AUTH_TOKEN_with_pub_repo_permissions_here gcr.io/openssf/scorecard:stable --repo=https://github.com/qgis/QGIS --checks=Vulnerabilities  --show-details

Additional context

No response

[andy778]

Running scorecard from command line it gives 6.3 and not 5.6

The difference seems to be that command line also includes:

• CI-Tests
• Contribution
• Dependency update tool
• Signed release