ci: use reusable Scorecard workflow

.github/workflows/ci.yaml

@@ -8,6 +8,7 @@ on:
 concurrency:
   group: ci-${{ github.head_ref || github.ref }}
   cancel-in-progress: true
+
 permissions:
   contents: read
 jobs:

.github/workflows/codeql.yaml

@@ -10,6 +10,8 @@ on:
   schedule:
     - cron: "34 0 * * 3"
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/github-workflows/.github/workflows/codeql.yaml@main

.github/workflows/dependency-review.yaml

@@ -1,18 +1,10 @@
 ---
-# Dependency Review Action
-#
-# This Action will scan dependency manifest files that change as part of a Pull Request,
-# surfacing known-vulnerable versions of the packages declared or updated in the PR.
-# Once installed, if the workflow run is marked as required,
-# PRs introducing known-vulnerable packages will be blocked from merging.
-#
-# Source repository: https://github.com/actions/dependency-review-action
-name: 'Dependency Review'
-on: [pull_request]
+name: Dependency Review
+on:
+  pull_request:
 
 permissions:
   contents: read
-
 jobs:
   dependency-review:
     runs-on: ubuntu-latest

.github/workflows/lint-pr.yaml

@@ -7,6 +7,8 @@ on:
       - edited
       - synchronize
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/github-workflows/.github/workflows/lint-pr.yaml@main

.github/workflows/release-please.yaml

@@ -6,6 +6,8 @@ on:
       - main
   workflow_dispatch:
 
+permissions:
+  contents: read
 jobs:
   trigger:
     uses: statnett/github-workflows/.github/workflows/release-please.yaml@main

.github/workflows/scorecard.yaml

@@ -0,0 +1,20 @@
+---
+name: Scorecard supply-chain security
+on:
+  branch_protection_rule:
+  schedule:
+    - cron: '20 7 * * 2'
+  push:
+    branches:
+      - main
+
+permissions:
+  contents: read
+jobs:
+  trigger:
+    uses: statnett/github-workflows/.github/workflows/scorecard.yaml@main
+    permissions:
+      security-events: write
+      id-token: write
+      contents: read
+      actions: read