ci: Add GHA workflow to calculate the OpenSSF scorecard.

[xhochy]

The OpenSSF Scorecard is a common tool to assess the quality of a dependency for "risky practices". While the project itself calculates the score for a lot of projects, we would like to add it directly here to ensure the "shortcomings" are visible to maintainer and also because the workflow gets a bit more visibility into the repository settings, it will also lead to a higher score.

For an example output, see https://scorecard.dev/viewer/?uri=github.com/Quantco/pixi-pack

I'm also happy to help to get a better score ;)

[ruben-arts]

Can we take a look be for publishing, and remove shortcomings before there is a report about them? ;)

[xhochy]

pixi exec scorecard --repo https://github.com/prefix-dev/pixi | gh gist create -: https://gist.github.com/xhochy/280711212ce75b0e7630df1e43f97d6f (with details: https://gist.github.com/xhochy/137623bc248536c6d5a3f7f735243e12 )

Pinned dependencies and token permissions are probably easy to fix. For signed releases, I can try to contribute what I did for pixi-pack.

Generally, a score of 7+ is what you should try to reach; everything above is nice to have.

[xhochy]

Pinned dependencies

This is something to rather look into on the scorecard code. It's probably only the setup-pixi action.

[Hofer-Julian]

Pinned dependencies

This is something to rather look into on the scorecard code. It's probably only the setup-pixi action.

Yeah, our reasoning was that this is our product, so we don't need to pin it

[ruben-arts]

I guess we should be able to get rid of the Binary-Artifacts by building the trampolines in our deployment stage, but I would want to test them before sending them off 😅.