gh-99668: Add OpenSSF Scorecard GitHub Action and badge

[alex-semenyuk]

Add OpenSSF Scorecard GitHub Action which performs dozens of automated
checks to ensure the project's security posture is solid and badge which
shows OpenSSF Scorecard score: https://scorecard.dev/viewer/?uri=github.com/python/cpython

• Issue: Add the OpenSSF Scorecard GitHub Action #99668

[AA-Turner]

I'm sceptical of the value proposition here, it seems to mainly be promoting the 'scorecard' programme through adding (another) badge to the README. The Python project has long-established security practices, which we should probably draw more attention to than a somewhat arbitrary 'score' from 0-10.

cc @sethmlarson as a resident security expert.

A

[alex-semenyuk]

I'm sceptical of the value proposition here, it seems to mainly be promoting the 'scorecard' programme through adding (another) badge to the README. The Python project has long-established security practices, which we should probably draw more attention to than a somewhat arbitrary 'score' from 0-10.

cc @sethmlarson as a resident security expert.

A

Value is not at score itself but at issues which needs to be addressed

Btw these are issues which need to be addressed https://scorecard.dev/viewer/?uri=github.com/python/cpython

[sethmlarson]

I'm a -1 on adopting this as a workflow that needs to be maintained and the results which need to be handled by some ambiguous "someone".

Scorecard can be run by anyone as a CLI and then if that someone cares and has the time to fix the issues they can do so. Any work that gets done can be documented with justifications so it's not undone later.

This approach means the work is owned by someone and we're not simply creating more work to do while crossing our fingers that it gets done (by volunteers). This also means one less workflow to run and maintain on our CI which I understand to already be quite busy.