Merge pull request #75 from devonartis/develop #13

	name: Scorecard supply-chain security

	# Runs OpenSSF Scorecard against the repo on every push to main and on a
	# weekly schedule. SARIF uploads to GitHub Code Scanning which is free on
	# public repos. Several Scorecard checks (branch protection, code review,
	# signed releases) only signal meaningfully on public repos — now that
	# we've flipped public, the first run establishes the baseline published
	# on the Scorecard badge in the README. Parked under `workflow_dispatch:`
	# while the repo was private; re-enabled 2026-04-12 (TD-VUL-006).

	on:
	branch_protection_rule:
	push:
	branches: [main]
	schedule:
	- cron: '0 7 * * 1' # weekly Monday 07:00 UTC
	workflow_dispatch:

	permissions: read-all

	jobs:
	analysis:
	name: Scorecard analysis
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	id-token: write
	contents: read
	actions: read
	steps:
	- uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
	with:
	persist-credentials: false
	- uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true
	- uses: actions/upload-artifact@bbbca2ddaa5d8feaa63e36b76fdaad77386f024f # v7.0.0
	with:
	name: SARIF file
	path: results.sarif
	retention-days: 5
	- uses: github/codeql-action/upload-sarif@f94817b9f0deeb3871261446912ae8f854d1b675 # codeql-bundle-v2.25.1
	with:
	sarif_file: results.sarif

Provide feedback