feat(ci): add OpenSSF Scorecard workflow + README badge (#17)

OpenSSF Scorecard scores public OSS repos on supply-chain security
posture (pinned dependencies, branch protection, dependency update
tooling, SAST, token permissions, etc). Runs weekly, publishes to the
scorecard.dev viewer, uploads SARIF to the GitHub Security tab.

Closes the 6-PR standards-alignment series. This repo now matches the
hardening baseline established in heyvaldemar/aws-kubectl-docker:

- PR #12: .env hygiene + credential rotation
- PR #13: LICENSE, SECURITY.md, CHANGELOG, Dependabot docker ecosystem,
  FUNDING.yml removal
- PR #14: CI workflow hardening (pinned SHAs, per-job permissions,
  timeouts, concurrency, weekly rebuild)
- PR #15: upstream image digest pinning with Dependabot auto-bumps
- PR #16: full README rewrite in evaluator-first structure
- PR #17: [this commit] OpenSSF Scorecard workflow + badge

Workflow:

- .github/workflows/scorecard.yml — matches the shape used on
  aws-kubectl-docker. All four action pins are commit-SHA based:
    actions/checkout@de0fac2e... # v6
    ossf/scorecard-action@4eaacf05... # v2.4.3
    actions/upload-artifact@043fb46d... # v7.0.1
    github/codeql-action@95e58e9a... # v4.35.2

  The scorecard-action and codeql-action pins are specifically the
  dereferenced commit SHAs of annotated tags, not the tag-object SHAs
  that GitHub's /git/refs/tags/v* API returns. Scorecard's own
  imposter-commit check rejects tag-object SHAs. See aws-kubectl-docker
  PR #24 for the background.

- Triggers: weekly cron (Tuesday 06:00 UTC, one day after the Monday
  deployment verification run), every push to main, branch protection
  rule changes, workflow_dispatch.

- Permissions: read-all at workflow level (Scorecard needs broad read
  access); job-level narrows to security-events:write (SARIF upload),
  id-token:write (OpenSSF API OIDC), contents:read + actions:read.

README:

- Scorecard badge added between Deployment Verification and License
  badges. Badge URL points at api.scorecard.dev/projects/<repo>/badge;
  target URL is the scorecard.dev viewer.

CHANGELOG:

- [Unreleased] entry documents the workflow + badge addition.

Expected initial score: mid-to-high single digits, with penalties for
Code-Review 0 (solo maintainer), Fuzzing 0 (not applicable to a
deployment template), CII-Best-Practices 0 (not registered). These
are honest trade-offs, not oversights.

Co-authored-by: Vladimir Mikhalev <ask@sre.gg>
Co-authored-by: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Author: 3 people

.github/workflows/scorecard.yml

@@ -0,0 +1,62 @@
+name: OpenSSF Scorecard
+
+on:
+  branch_protection_rule:
+  schedule:
+    # Weekly on Tuesdays at 06:00 UTC — after the Monday 06:00 UTC deployment
+    # verification run (deployment-verification.yml). Keeps the Scorecard
+    # score in sync with any weekly change in pinned-dependency posture.
+    - cron: "0 6 * * 2"
+  push:
+    branches: [main]
+  workflow_dispatch:
+
+# Scorecard needs broad read access to score the repo; individual jobs
+# narrow this further for the steps that need write scopes.
+permissions: read-all
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      # Needed for SARIF upload to the Security tab.
+      security-events: write
+      # Needed to publish results to the public OpenSSF API (scorecard.dev).
+      id-token: write
+      # Needed to read the repo state and workflow history.
+      contents: read
+      actions: read
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard analysis
+        # Pinned to the commit SHA of v2.4.3 (not the tag-object SHA returned
+        # by GitHub's /git/refs/tags endpoint, which Scorecard's own
+        # imposter-commit check rejects). See aws-kubectl-docker PR #24 for
+        # the background.
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish results to the public OpenSSF API so the README badge
+          # populates. No token needed for public repos; the workflow's OIDC
+          # token authenticates.
+          publish_results: true
+
+      - name: Upload Scorecard results as workflow artifact
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload SARIF to GitHub Security tab
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: results.sarif

CHANGELOG.md

@@ -8,6 +8,16 @@ and this project adheres to [Semantic Versioning](https://semver.org/spec/v2.0.0
 ## [Unreleased]
 
 ### Added
+- `.github/workflows/scorecard.yml` — OpenSSF Scorecard analysis workflow.
+  Runs weekly on Tuesdays at 06:00 UTC (one day after the Monday deployment
+  verification run), on every push to `main`, and on branch-protection-rule
+  changes. Publishes results to the public OpenSSF API (scorecard.dev
+  viewer) and uploads SARIF to the GitHub Security tab. All action pins
+  are commit-SHA based, including the dereferenced commit SHA for the
+  annotated-tag `ossf/scorecard-action@v2.4.3` (plain `@v2.4.3` tag-object
+  SHA is rejected by Scorecard's imposter-commit verification).
+- README badge for OpenSSF Scorecard, placed between the Deployment
+  Verification and License badges.
 - `LICENSE` — canonical MIT license text at repo root, `Copyright (c) 2021-2026 Vladimir Mikhalev (heyvaldemar)`.
 - `SECURITY.md` — vulnerability disclosure policy, supported versions, supply-chain trust statement, and a callout for the pre-PR-#12 credential rotation advisory.
 - `CHANGELOG.md` — this file, Keep-a-Changelog format.

README.md

@@ -1,6 +1,7 @@
 # Keycloak + Traefik + Let's Encrypt — Docker Compose
 
 [![Deployment Verification](https://github.com/heyvaldemar/keycloak-traefik-letsencrypt-docker-compose/actions/workflows/deployment-verification.yml/badge.svg?branch=main)](https://github.com/heyvaldemar/keycloak-traefik-letsencrypt-docker-compose/actions/workflows/deployment-verification.yml)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/heyvaldemar/keycloak-traefik-letsencrypt-docker-compose/badge)](https://scorecard.dev/viewer/?uri=github.com/heyvaldemar/keycloak-traefik-letsencrypt-docker-compose)
 [![License: MIT](https://img.shields.io/badge/License-MIT-yellow.svg)](https://opensource.org/licenses/MIT)
 
 ## Contents