ci: add OpenSSF Scorecard workflow

[mprpic]

Pull Request Description

What

Add automated weekly Scorecard analysis that publishes results to the OpenSSF dashboard and uploads SARIF findings to GitHub's Security tab.

The workflow also triggers on any changes to the branch protection rules so that any changes can be reflected in the current score immediately, and also allows running the workflow manually.

See also #1008

Why

Scores are automated and violations can be seen in the repo itself (in the Security tab).

• PR follows CONTRIBUTING.md guidelines

[coderabbitai]

No actionable comments were generated in the recent review. 🎉

ℹ️ Recent review info

⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: CHILL

Plan: Pro

Run ID: 46ae5403-3513-43f0-ab0f-8742c6bca49a

📥 Commits

Reviewing files that changed from the base of the PR and between b344f6e and 79c9c8a.

📒 Files selected for processing (1)

• .github/workflows/scorecard.yaml

✅ Files skipped from review due to trivial changes (1)

• .github/workflows/scorecard.yaml

---

📝 Walkthrough

Walkthrough

Adds a new GitHub Actions workflow .github/workflows/scorecard.yaml named "OpenSSF Scorecard". Triggers: branch_protection_rule, weekly schedule (30 1 * * 1), and workflow_dispatch. Sets default permissions to read-all. Defines a single job analysis (runs-on ubuntu-latest) with conditional execution when github.repository_owner == 'python-wheel-build'. Job checks out the repo (persist-credentials: false), runs ossf/scorecard-action producing results.sarif and publishing results, uploads results.sarif as an artifact with 5-day retention, and uploads the SARIF to GitHub code scanning via github/codeql-action/upload-sarif.

Estimated code review effort

🎯 2 (Simple) | ⏱️ ~8 minutes

🚥 Pre-merge checks | ✅ 2

✅ Passed checks (2 passed)

Check name	Status	Explanation
Title check	✅ Passed	The title accurately describes the main change: adding a GitHub Actions workflow for OpenSSF Scorecard analysis.
Description check	✅ Passed	The description is directly related to the changeset, explaining the purpose of the new Scorecard workflow and its triggers.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[rd4398]

Looks good to me!

[LalatenduMohanty]

@Mergifyio rebase

[mergify]

Deprecation notice: This pull request comes from a fork and was rebased using bot_account impersonation. This capability will be removed on July 1, 2026. After this date, the rebase action will no longer be able to rebase fork pull requests with this configuration. Please switch to the update action/command to ensure compatibility going forward.

[mergify]

rebase

✅ Branch has been successfully rebased