Additions to reporeview

[matthewfeickert]

While discussing Issue #9, it was brought up that we should try to add Trusted Publishers, SLSA signing to reporeview and then also look at the OpenSSF scorecards to see if there are things we care about there that maybe could be brought over (example, limiting GitHub Action runner privilges by default (c.f. scikit-hep/pyhf#2483)).

Assigning @henryiii given interest, not to say that he is responsible for all changes.

Tagging @jarrodmillman, @stefanv, @juanis2112 given other comments.

[lagru]

2cts: One thing that might also be useful to add, would be checks or recommendations for the configuration of the Repo / Org? I don't know whether querying the GitHub REST API is within scope of repo-review, but if it is, it should be doable. E.g. I think you can query whether Actions are restricted via the REST API.

[henryiii]

querying the GitHub REST API

It's not something that's currently available. If it was added, it would not work when running directly on a repo in file, so tests using a API-based fixture would need to be skipped or ignored unless using a URL.