ci: add OpenSSF Scorecard workflow to enable security badge (#47)

* ci: add OpenSSF Scorecard workflow to enable security badge

Configures OpenSSF Scorecard analysis to:
- Run weekly on Mondays
- Publish results to OpenSSF API (enables badge)
- Upload SARIF results to GitHub code scanning
- Allow manual workflow dispatch

This will fix the "invalid repo path" error on the OpenSSF
Scorecard badge by actually running the security analysis.

🤖 Generated with [Claude Code](https://claude.com/claude-code)

Co-Authored-By: Claude <noreply@anthropic.com>

* chore: update GitHub Actions to latest versions

- actions/checkout: v4 -> v5
- ossf/scorecard-action: v2.4.0 -> v2.4.3
- github/codeql-action/upload-sarif: v3 -> v4

---------

Co-authored-by: Claude <noreply@anthropic.com>

Author: dreamiurg

.github/workflows/scorecard.yml

@@ -0,0 +1,50 @@
+name: OpenSSF Scorecard
+
+on:
+  # Run weekly on Monday at 00:00 UTC
+  schedule:
+    - cron: '0 0 * * 1'
+  # Allow manual trigger
+  workflow_dispatch:
+  # Run on push to main for initial setup
+  push:
+    branches:
+      - main
+
+# Needed to upload results to code-scanning dashboard
+permissions:
+  contents: read
+  security-events: write
+  id-token: write
+  actions: read
+
+jobs:
+  analysis:
+    name: Scorecard analysis
+    runs-on: ubuntu-latest
+
+    steps:
+      - name: Checkout code
+        uses: actions/checkout@v5
+        with:
+          persist-credentials: false
+
+      - name: Run analysis
+        uses: ossf/scorecard-action@v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          # Publish results to OpenSSF REST API for the badge
+          publish_results: true
+
+      - name: Upload artifact
+        uses: actions/upload-artifact@v4
+        with:
+          name: SARIF file
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@v4
+        with:
+          sarif_file: results.sarif