Flagging supply-chain security issues

[gabibguti]

Flagging supply-chain security issues is important for you to be aware of where your repository is vulnerable to these attacks and act upon it. Supply-chain attacks aim for your development, build and release weaknesses. That's why using minimum permissions for actions and referencing actions by commit SHA on your GitHub workflows helps protecting you from malicious actions on GitHub, specially in build and release workflows.

In this repository, we have already worked to flag and fix a few supply-chain security issues. To flag more issues like that we can use Scorecard security tool to receive alerts in GitHub's Security Dashboard. If you agree, I can open a PR to add it.

Additional Context

Hi again! I'm Gabriela and I work on behalf of Google and the OpenSSF suggesting supply-chain security changes :)

[langou]

Hi Gabriela, that would be fine with me. We can try this new feature. (new in the sense that it would be new for us.) Let us let it sit for a few days to see of anyone disagrees, and, if no one disagree within a few days, let us move on with integrating then. Thanks! Julien.