Document release verification #33

	name: Scorecards

	on:
	push:
	branches:
	- master
	- main
	schedule:
	- cron: "0 5 * * 1"
	workflow_dispatch:

	concurrency:
	group: ${{ github.workflow }}-${{ github.ref }}
	cancel-in-progress: true

	permissions: read-all

	jobs:
	scorecard:
	name: OSSF Scorecards
	runs-on: ubuntu-latest
	timeout-minutes: 15
	permissions:
	actions: read
	checks: read
	contents: read
	issues: read
	pull-requests: read
	statuses: read
	steps:
	- uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6
	with:
	persist-credentials: false
	- name: Install Scorecard CLI
	env:
	SCORECARD_VERSION: "5.5.0"
	SCORECARD_SHA256: "83b90a05c1540ef1390db1cd5711e5fd04be9c1d8537fb84d39d02092d6a8dff"
	run: \|
	set -euo pipefail
	archive="scorecard_${SCORECARD_VERSION}_linux_amd64.tar.gz"
	curl -fsSLO "https://github.com/ossf/scorecard/releases/download/v${SCORECARD_VERSION}/${archive}"
	echo "${SCORECARD_SHA256} ${archive}" \| sha256sum -c -
	mkdir -p "$RUNNER_TEMP/scorecard"
	tar -xzf "${archive}" -C "$RUNNER_TEMP/scorecard" scorecard
	chmod 0755 "$RUNNER_TEMP/scorecard/scorecard"
	- name: Analyze
	env:
	GITHUB_AUTH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
	run: \|
	set -euo pipefail
	"$RUNNER_TEMP/scorecard/scorecard" \
	--repo="github.com/${{ github.repository }}" \
	--commit="${GITHUB_SHA}" \
	--format=json \
	--output="scorecard-results.json" \
	--show-details
	- name: Upload Scorecard artifact
	uses: actions/upload-artifact@ea165f8d65b6e75b540449e92b4886f43607fa02 # v4
	with:
	name: openssf-scorecard
	path: scorecard-results.json
	if-no-files-found: error

Provide feedback