feat: add OSSF Scorecard GitHub Actions workflow

[Copilot]

Adds OSSF Scorecard supply-chain analysis as a GitHub Actions workflow. Dependency Review already existed in the repository.

New workflow: .github/workflows/ossf-scorecard.yml

• Runs ossf/scorecard-action@v2.4.3 on push to develop/main, weekly schedule, and branch_protection_rule events
• Uploads SARIF results to GitHub Security tab via codeql-action/upload-sarif
• Publishes results to OpenSSF (publish_results: true)
• All actions SHA-pinned; permissions: read-all top-level with security-events: write + id-token: write scoped to job

Supply-chain verification update: scripts/checks/verify_supply_chain.py

• Added ossf-scorecard.yml to REQUIRED_FILES
• Added workflow coverage checks for expected tokens (develop, main, push, schedule, ossf-scorecard)

Original prompt

Dependency Review, OSSF Scoreboard 두 가지를 GitHub Actions로 추가해 주세요.

---

📍 Connect Copilot coding agent with Jira, Azure Boards or Linear to delegate work to Copilot in one click without leaving your project management tool.

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

[coderabbitai]

Warning

Rate limit exceeded

@seonghobae has exceeded the limit for the number of commits that can be reviewed per hour. Please wait 6 minutes and 3 seconds before requesting another review.

⌛ How to resolve this issue?

After the wait time has elapsed, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout.

Please see our FAQ for further information.

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: cea2f966-2662-4959-90ac-a8f3abc40e8e

📥 Commits

Reviewing files that changed from the base of the PR and between 6fbee19 and bf8ac2d.

📒 Files selected for processing (2)

• .github/workflows/ossf-scorecard.yml
• scripts/checks/verify_supply_chain.py

📝 Walkthrough

Walkthrough

.github/workflows/ossf-scorecard.yml 워크플로우가 추가되었고, scripts/checks/verify_supply_chain.py는 해당 워크플로우의 존재와 트리거/토큰(develop, main, push, schedule, ossf-scorecard)을 검사하도록 업데이트되었습니다.

Changes

Cohort / File(s)	Summary
GitHub Actions 워크플로우 \.github/workflows/ossf-scorecard.yml	새 워크플로우 추가: develop/main 푸시 및 주간 크론 트리거, 리포지토리 체크아웃, ossf/scorecard-action 실행으로 results.sarif 생성, SARIF 아티팩트 업로드 및 GitHub에 SARIF 업로드.
공급망 검증 스크립트 scripts/checks/verify_supply_chain.py	REQUIRED_FILES에 새 워크플로우 경로 추가 및 verify_workflow_coverage() 확장: 워크플로우 파일을 로드해 develop, main, push, schedule, ossf-scorecard 토큰 존재 여부를 검사하여 위반을 보고하도록 함.

Sequence Diagram(s)

sequenceDiagram
    autonumber
    participant Dev as Developer
    participant Repo as GitHub Repo
    participant Runner as Actions Runner
    participant Scorecard as OSSF Scorecard
    participant Artifacts as GitHub Artifacts
    participant Upload as SARIF Uploader
    participant Verifier as verify_supply_chain.py

    Dev->>Repo: Push to `develop`/`main` or cron
    Repo->>Runner: Trigger `ossf-scorecard` workflow
    Runner->>Scorecard: Run ossf/scorecard-action analysis
    Scorecard-->>Runner: Produce `results.sarif`
    Runner->>Artifacts: Upload `results.sarif` (artifact)
    Runner->>Upload: Upload SARIF to GitHub
    Verifier->>Repo: Read `.github/workflows/ossf-scorecard.yml`
    Verifier->>Verifier: Check tokens `develop`, `main`, `push`, `schedule`, `ossf-scorecard`
    Verifier-->>Repo: Report violations if missing

Loading

Estimated code review effort

🎯 3 (Moderate) | ⏱️ ~20 minutes

Possibly related PRs

• feat: add OSSF Scorecard GitHub Actions workflow #82 — 동일한 .github/workflows/ossf-scorecard.yml 추가 및 scripts/checks/verify_supply_chain.py의 REQUIRED_FILES/트리거 토큰 검사 변경과 코드 수준에서 일치함.

시

🐰 새 워크플로우 깃에 심고,
토큰 세며 점검을 뛰어다녀,
SARIF 들고 밤하늘로 반짝,
작은 당근처럼 안심이 자라네,
깃허브 들판에 깡충 기쁨 🥕🐇

🚥 Pre-merge checks | ✅ 3

✅ Passed checks (3 passed)

Check name	Status	Explanation
Title check	✅ Passed	The pull request title clearly and concisely summarizes the main change: adding an OSSF Scorecard GitHub Actions workflow, which matches the primary objective of the changeset.
Description check	✅ Passed	The pull request description is detailed and directly related to the changeset, covering the new workflow file, its configuration, and the supply-chain verification script updates.
Docstring Coverage	✅ Passed	Docstring coverage is 100.00% which is sufficient. The required threshold is 80.00%.

_{✏️ Tip: You can configure your own custom pre-merge checks in the settings.}

✨ Finishing Touches

🧪 Generate unit tests (beta)

• Create PR with unit tests
• Commit unit tests in branch copilot/add-dependency-review-and-ossf-scoreboard

---

_{Comment @coderabbitai help to get the list of available commands and usage tips.}

[coderabbitai]

Actionable comments posted: 2

🤖 Prompt for all review comments with AI agents

Verify each finding against the current code and only fix it if needed.

Inline comments:
In @.github/workflows/ossf-scorecard.yml:
- Around line 3-10: The workflow currently includes an unsupported trigger
branch_protection_rule; remove that key from the workflow so only supported
triggers remain (push and schedule) and ensure the existing schedule (cron) and
push branches remain unchanged; specifically delete the branch_protection_rule
entry and keep the schedule (cron: '30 1 * * 1') and push (branches: - develop -
main) triggers so the OSSF scorecard-action runs only on supported events.

In `@scripts/checks/verify_supply_chain.py`:
- Around line 160-165: 현재 scorecard 토큰 누락을 하나씩 append하는 반복문을 list.extend 패턴으로
리팩토링해 일관성과 퍼포먼스를 개선하세요: scorecard와 token 리스트(예:
["develop","main","push","schedule","ossf-scorecard"])를 사용해 누락된 토큰들을
comprehension으로 수집한 뒤 missing.extend(...)로 한 번에 추가하도록 변경합니다; 관련 식별자: scorecard,
missing, token.

🪄 Autofix (Beta)

Fix all unresolved CodeRabbit comments on this PR:

• Push a commit to this branch (recommended)
• Create a new PR with the fixes

---

ℹ️ Review info

⚙️ Run configuration

Configuration used: Organization UI

Review profile: ASSERTIVE

Plan: Pro

Run ID: 46fe74d5-1bf4-470c-80d6-49a884d0c83f

📥 Commits

Reviewing files that changed from the base of the PR and between 6e93f87 and 6fbee19.

📒 Files selected for processing (2)

• .github/workflows/ossf-scorecard.yml
• scripts/checks/verify_supply_chain.py

[seonghobae]

@coderabbitai review

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.

All requested changes implemented in commits 93e19c6 and 7889aaa: removed branch_protection_rule trigger from ossf-scorecard.yml and refactored scorecard token loop to use .extend() with generator in verify_supply_chain.py

[coderabbitai]

✅ Actions performed

Review triggered.

Note: CodeRabbit is an incremental review system and does not re-review already reviewed commits. This command is applicable only when automatic reviews are paused.