Reintroduce the Scorecard workflow

[ppkarwasz]

We should reconsider enabling the Scorecard action, considering especially that:

• A Scorecard for Apache Log4j is computed anyway, since Scorecards are computed for 1 million critical projects. Running the action ourselves we have more control on what the public sees.
• We enabled mandatory PR reviews, so random pushes to our default branch will not decrease our score.

Blocked by ossf/scorecard-webapp#554

[ppkarwasz]

@vy, what do you think?

[vy]

We had enabled Scorecards, and it helped with

1. Creating a maintenance burden (Remember how many times we needed to fix its CI workflow?)
2. Bringing literally no value by any means

A Scorecard for Apache Log4j is computed anyway, since Scorecards are computed for 1 million critical projects.

Right, and hence, I don't see the reason to duplicate that work. Users interested in Log4j's Scorecards, can find it anyway.

we have more control on what the public sees

Do you imply that OSSF is manipulating the scores? Or, we can manipulate the scores as we see fit?

[ppkarwasz]

we have more control on what the public sees

Do you imply that OSSF is manipulating the scores? Or, we can manipulate the scores as we see fit?

No, but the data is hard to find (it requires a Google Cloud account) and it is difficult to check what the score is. We don't need to announce the score via a badge, but we can still compute it.