Monitor gRPC-Go's supply-chain security posture with the Scorecard Action

[pnacht]

Use case(s) - what problem will this feature solve?

Hi, I'm Pedro and I've recently made some supply-chain security suggestions to gRPC-Go (see #6775 and #6815).

I detected these potential issues by using the OpenSSF Scorecard, a tool that scans a repository looking for areas where it can improve its supply-chain security posture.

I'm happy to have made these changes, but it is surprisingly easy to slip up and accidentally open the project up to one of these attack vectors (or others) again in the future.

Proposed Solution

I suggest gRPC-Go adopt the Scorecard Action. This workflow runs whenever code enters the codebase and populates the repo's Security Dashboard with actionable suggestions and areas of improvement, notifying you if ever there's a slip-up.

I'll send a PR along with this issue so you can take a look at the workflow.

Alternatives Considered

N/A

Additional Context

gRPC-Go currently scores a 7.9/10 on Scorecard, which puts it at the top 1% of projects!

[easwars]

Hi Pedro,

We had a discussion about this and we've decided not to use the OpenSSF Scorecard. Thank you for your efforts, but we are happy where we are currently.

Thanks
Easwar (on behalf of the grpc-go team)