Summary

GStack has a growing GitHub Actions surface and recent supply-chain/security hardening work, but no OpenSSF Scorecard workflow or documented Scorecard run. Adding a scheduled + manual Scorecard check would give maintainers a single recurring signal for OSS security posture: token permissions, pinned actions/dependencies, branch protection, dangerous workflow patterns, dependency-update hygiene, and related repo health checks.

This is intentionally separate from the focused dependency-review request in #1987 and the CI hardening issue in #1948. Those fix point gaps. Scorecard keeps the overall posture visible so the same classes of gaps do not silently reappear.

Repo-local evidence

• origin/main has 10 workflow files under .github/workflows/, including CI image publishing, eval result artifacts, PR title sync, Windows setup/e2e gates, and make-pdf gates.
• git grep -n -E 'OpenSSF|Scorecard|ossf/scorecard|scorecard-action|scorecards|semgrep|osv-scanner|dependency-review|attest-build-provenance|attestation|codeql-action' origin/main -- .github package.json bun.lock README.md CONTRIBUTING.md docs returned no matches.
• Several workflows currently have no explicit permissions: block: actionlint.yml, make-pdf-gate.yml, skill-docs.yml, windows-free-tests.yml, and windows-setup-e2e.yml.
• Third-party actions are still referenced by mutable tags, for example actions/checkout@v4, oven-sh/setup-bun@v1/v2, docker/login-action@v3, and docker/build-push-action@v6. That is already tracked in CI hardening: provider API keys exposed on pull_request (evals.yml) + third-party actions pinned to mutable tags #1948 ; Scorecard would make this posture visible and measurable over time.
• README positions /cso as the in-session security-audit skill, and recent accepted PRs include security/reliability guardrail work like v1.57.6.0 fix wave: 8 community bugs (4 security guards failing open) #1911 . The repo has the product-level security culture; the repository-level posture signal is the missing layer.

Expected impact

• Gives maintainers a recurring, source-backed security-health report instead of rediscovering CI hardening gaps one issue at a time.
• Helps prioritize the existing security backlog: action pinning (CI hardening: provider API keys exposed on pull_request (evals.yml) + third-party actions pinned to mutable tags #1948 ), dependency review (Add Dependency Review Action to block vulnerable dependency changes #1987 ), least-privilege workflow permissions, branch protection, and dependency update hygiene.
• Low maintainer burden if started as workflow_dispatch + weekly scheduled run that uploads SARIF or comments a summary, then tuned before becoming required.

Suggested fix

Add .github/workflows/scorecard.yml with:

• workflow_dispatch and weekly schedule triggers.
• permissions: contents: read plus security-events: write only if uploading SARIF to code scanning.
• ossf/scorecard-action pinned to a full commit SHA, not a mutable tag, to stay aligned with CI hardening: provider API keys exposed on pull_request (evals.yml) + third-party actions pinned to mutable tags #1948 .
• with: results_file: scorecard-results.sarif, results_format: sarif, and artifact upload for debugging if SARIF upload is not enabled.
• Start non-blocking. After the first few runs, choose which checks should become release gates versus informational signals.

Duplicate check performed

• Inspected 200 open issues with gh issue list --repo garrytan/gstack --state open --limit 200 --json number,title,body,url,labels,updatedAt,author.
• Inspected 200 open PRs with gh pr list --repo garrytan/gstack --state open --limit 200 --json number,title,body,url,labels,updatedAt,author,isDraft,headRefName.
• Searched the inspected issue/PR title+body set for OpenSSF, Scorecard, scorecard, ossf/scorecard, and scorecards.
• Ran targeted GitHub searches for OpenSSF Scorecard, scorecard security posture, scorecard branch protection token permissions, ossf scorecard, and github/codeql-action scorecard in garrytan/gstack.
• Only adjacent hit found: Add Dependency Review Action to block vulnerable dependency changes #1987 mentions Scorecard in its evidence grep, but its requested fix is specifically GitHub Dependency Review. No open issue or PR requests an OpenSSF Scorecard workflow.

Commands/files inspected

• git fetch origin main --prune
• git ls-tree -r --name-only origin/main .github
• git show origin/main:.github/workflows/*.yml via workflow summary script
• git grep -n -E 'OpenSSF|Scorecard|ossf/scorecard|scorecard-action|scorecards|semgrep|osv-scanner|dependency-review|attest-build-provenance|attestation|codeql-action' origin/main -- .github package.json bun.lock README.md CONTRIBUTING.md docs
• gh issue list --repo garrytan/gstack --state open --limit 200 --json number,title,body,url,labels,updatedAt,author
• gh pr list --repo garrytan/gstack --state open --limit 200 --json number,title,body,url,labels,updatedAt,author,isDraft,headRefName
• gh search issues <query> --repo garrytan/gstack --limit 20 --json number,title,url,state,isPullRequest,body
• README.md, CONTRIBUTING.md, docs/ADDING_A_HOST.md, docs/OPENCLAW.md, docs/skills.md
• Recent merged PRs inspected by title/body/files list: v1.58.0.0 feat: diagram + multi-format document engine (mermaid, excalidraw, single-file HTML, DOCX) #1990 , v1.57.10.0 feat: Codex review default-on across review/ship/plan/docs #1966 , v1.57.9.0 feat: source-clean gbrain render (dev-setup --out-dir + machine-wide gbrain-refresh) #1951 , v1.57.8.0 feat: browse js/eval --out render-to-file (canonical Chromium for offline rendering) #1929 , v1.57.7.0 feat: GSTACK REVIEW REPORT always declares unresolved decisions #1916 , v1.57.4.0 refactor(ethos): rename Boil the Lake principle to Boil the Ocean #1912 , v1.57.6.0 fix wave: 8 community bugs (4 security guards failing open) #1911 , v1.57.5.0 feat: cross-session decision memory + gbrain dream-stage call graph #1910 , v1.57.3.0 fix(ship): always-loaded PR-title-version rule + fork-PR title-sync backstop #1909 , v1.57.2.0 feat: AskUserQuestion prose fallback when the tool fails at runtime #1908 , v1.57.0.0 feat: carve-guard system + carve cso/document-release/design-consultation #1907 , v1.56.1.0 fix(sync): staging-dir ownership guard + resume-correctness fixes (#1802) #1856 , v1.56.0.0 Token-reduction Phase B + AUQ paranoid safety net #1849 , v1.55.1.0 fix: telemetry consent accuracy + gstack-slug cache sanitization #1848 , v1.55.0.0 fix wave: gbrain data-loss guards + browser crash-loop + 6 more #1808