Enable OpenSSF Scorecard Github Action

[joycebrum]

Hello, I'm working on behalf of Google and the Open Source Security Foundation to help essential open-source projects improve their supply-chain security. Given the relevance and impact that XGBoost has on countless projects, the OpenSSF has identified it as one of the 100 most critical open source projects.

Would you consider adopting an OpenSSF tool called Scorecards? Scorecards runs dozens of automated security checks to help maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, in partnership with GitHub.

I see that XGBoost project already follow many best practices regarding security issues that Scorecard checks, such as the Binary-Artifacts, CI-Tests, Code-Review and Vulnerabilities criterias. But still there plenty of criterias you could work on in order to improve the project's security and the Scorecard would help you going through this task.

To simplify maintainers' lives, the OpenSSF has also developed the Scorecard GitHub Action. It is very lightweight and runs on every change to the repository's main branch. The results of its checks are available on the project's security dashboard, and include suggestions on how to solve any issues (see examples below). The Action does not run or interact with any workflows, but merely parses them to identify possible vulnerabilities. This Action has been adopted by 1800+ projects already.

Would you be interested in a PR which adds this Action? Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

The changes involved would be:

• A configuration file to enable the Scorecard Github Action on .github/workflows/scorecard.yml
• (optional) the badge added to the README file.

[trivialfis]

@hcho3 Would you like to look into this when you are available?

[hcho3]

@joycebrum Yes, thanks for working on this initiative. I will make sure to review your pull request.