fix(ci): add scorecard security scan to merge queue

[thomasqueirozb]

Summary

Add an OSSF Scorecard security scan to the merge queue workflow. The job fails on critical findings (SARIF error-level), blocking merges that introduce dangerous workflow patterns like script injection.

Vector configuration

NA

How did you test this PR?

Downloaded a SARIF file from GHA with a critical vulnerability and ran the JQ commands locally

Change Type

• Bug fix
• New feature
• Dependencies
• Non-functional (chore, refactoring, docs)
• Performance

Is this a breaking change?

• Yes
• No

Does this PR include user facing changes?

• Yes. Please add a changelog fragment based on our guidelines.
• No. A maintainer will apply the no-changelog label to this PR.

References

• Related: fix(ci): prevent script injection in integration review workflow #25106

[pront]

@codex review

[pront]

Per https://github.com/ossf/scorecard-action#workflow-restrictions, merge_group triggers are not supported. How did you validate this PR?

[thomasqueirozb]

Per ossf/scorecard-action#workflow-restrictions, merge_group triggers are not supported. How did you validate this PR?

AFAICT this only applies when publishing results, which we are not doing in the MQ. There is also not really a way to test this without queuing and seeing if it passes.

[pront]

There is also not really a way to test this without queuing and seeing if it passes.

Here is a way to do this:

• Create a fresh repo like vectordotdev/merge-queue-scorecard-sandbox.
• Push a minimal workflow that matches the new scorecard job as closely as possible.
• Merge queue enabled on main.
• Create a PR that introduces a known dangerous workflow pattern that we expect to be caught by this check.
• If validated, then we can come back to this PR and merge it.

I understand it takes a lot of effort to test this, but especially given past learnings, we should not merge untested PRs.