Introduce OpenSSF Scorecard GitHub action

.github/workflows/build.yaml

@@ -29,13 +29,15 @@ jobs:
     runs-on: ${{ matrix.os }}
     continue-on-error: ${{ matrix.experimental }}
     steps:
-        # We run the build twice for each supported JDK: once against the
-        # original Error Prone release, using only Error Prone checks available
-        # on Maven Central, and once against the Picnic Error Prone fork,
-        # additionally enabling all checks defined in this project and any
-        # Error Prone checks available only from other artifact repositories.
+      # We run the build twice for each supported JDK: once against the
+      # original Error Prone release, using only Error Prone checks available
+      # on Maven Central, and once against the Picnic Error Prone fork,
+      # additionally enabling all checks defined in this project and any Error
+      # Prone checks available only from other artifact repositories.
       - name: Check out code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/[email protected]
         with:

.github/workflows/deploy-website.yaml

@@ -3,16 +3,18 @@ on:
   pull_request:
   push:
     branches: [ master, website ]
+permissions:
+  contents: read
 concurrency:
   group: ${{ github.workflow }}-${{ github.ref }}
 jobs:
   build:
-    permissions:
-      contents: read
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - uses: ruby/[email protected]
         with:
           working-directory: ./website

.github/workflows/openssf-scorecard.yml

@@ -0,0 +1,37 @@
+# Analyzes the code base and GitHub project configuration for adherence to
+# security best practices for open source software. Identified issues are
+# registered with GitHub's code scanning dashboard. When a pull request is
+# analyzed, any offending lines are annotated. See
+# https://securityscorecards.dev for details.
+name: OpenSSF Scorecard update
+on:
+  pull_request:
+  push:
+    branches: [ master ]
+  schedule:
+    - cron: '0 4 * * 1'
+permissions:
+  contents: read
+jobs:
+  analyze:
+    permissions:
+      contents: read
+      security-events: write
+      id-token: write
+    runs-on: ubuntu-22.04
+    steps:
+      - name: Check out code
+        uses: actions/[email protected]
+        with:
+          persist-credentials: false
+      - name: Run OpenSSF Scorecard analysis
+        uses: ossf/[email protected]
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: ${{ github.ref == 'refs/heads/master' }}
+      - name: Update GitHub's code scanning dashboard
+        uses: github/codeql-action/[email protected]
+        with:
+          sarif_file: results.sarif
+

.github/workflows/pitest-analyze-pr.yml

@@ -15,6 +15,7 @@ jobs:
         uses: actions/[email protected]
         with:
           fetch-depth: 2
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/[email protected]
         with:

.github/workflows/pitest-update-pr.yml

@@ -9,16 +9,20 @@ on:
       - completed
 permissions:
   actions: read
-  checks: write
-  contents: read
-  pull-requests: write
 jobs:
   update-pr:
     if: ${{ github.event.workflow_run.conclusion == 'success' }}
+    permissions:
+      actions: read
+      checks: write
+      contents: read
+      pull-requests: write
     runs-on: ubuntu-22.04
     steps:
       - name: Check out code
         uses: actions/[email protected]
+        with:
+          persist-credentials: false
       - name: Set up JDK
         uses: actions/[email protected]
         with: