Add the OpenSSF Scorecard GitHub Action

[pnacht]

Hello, I'm working on behalf of Google and the OpenSSF to improve the supply-chain security of essential open-source projects. The OpenSSF is a non-profit foundation dedicated to improving the security of the open-source community. It counts GitHub as a founding member.

The Scorecard system combines dozens of automated checks to let maintainers better understand their project's supply-chain security posture. It is developed by the OpenSSF, with direct support from GitHub.

Given pandas' ubiquity within the Python data-science ecosystem, the OpenSSF has included it in its list of the 100 most critical open-source projects. I see Scorecards was already referenced in PR #47652, which improved one aspect of pandas' supply-chain security.

However, the OpenSSF has also developed the Scorecard GitHub Action, which adds the results of its checks to the project's security dashboard, as well as suggestions on how to solve any issues (see examples below). Optionally, it can also publish your results to the OpenSSF REST API, which allows a badge with the project's score to be added to its README.

This Action has been adopted by 1600+ projects already. But adding pandas would single-handedly be a step change to the entire Python data-analysis ecosystem's supply-chain security.

Would you be interested in a PR which adds this Action?

[mroeschke]

Sure a PR would be welcome.

[MarcoGorelli]

@pnacht this is currently failing on the builds on main, any idea why?