fix(security): add artifact attestation for signed releases (#257) #3

	name: OpenSSF Scorecard

	on:
	schedule:
	- cron: '0 3 * * 0' # Sundays at 3 AM UTC
	push:
	branches:
	- main

	permissions:
	contents: read

	jobs:
	scorecard:
	name: Scorecard Analysis
	runs-on: ubuntu-latest
	permissions:
	security-events: write
	id-token: write
	contents: read
	steps:
	- name: Checkout repository
	uses: actions/checkout@8e8c483db84b4bee98b60c0593521ed34d9990e8 # v4.2.2
	with:
	persist-credentials: false

	- name: Run Scorecard
	uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
	with:
	results_file: results.sarif
	results_format: sarif
	publish_results: true

	- name: Upload SARIF results
	uses: github/codeql-action/upload-sarif@ce729e4d353d580e6cacd6a8cf2921b72e5e310a # v3.27.0
	with:
	sarif_file: results.sarif
	category: openssf-scorecard
	continue-on-error: true

	- name: Upload artifact
	uses: actions/upload-artifact@b4b15b8c7c6ac21ea08fcf65892d2ee8f75cf882 # v4.4.3
	with:
	name: scorecard-results
	path: results.sarif
	retention-days: 90

	- name: Add job summary
	if: always()
	run: \|
	{
	echo "## OpenSSF Scorecard Analysis Complete"
	echo ""
	echo "📊 View results in the Security tab under Code Scanning"
	echo ""
	echo "🏆 [View Scorecard Badge](https://scorecard.dev/viewer/?uri=github.com/microsoft/hve-core)"
	} >> "$GITHUB_STEP_SUMMARY"

Provide feedback