Tracking OSSF Scorecard improvements

[trask]

https://securityscorecards.dev/viewer/?uri=github.com/open-telemetry/opentelemetry-java-instrumentation

[trask]

I don't understand why our "Token-Permissions" score is still 0/10. This is my latest attempt: #13156

UPDATE: that fixed the Token-Permissions score, now 10/10

[trask]

I answered questions for OpenSSF Best Practices program, which should bump our "CII-Best-Practices" score from 0/10 to 5/10.

[trask]

Next: convert from classic "branch protections" to "repository rules" as part of https://github.com/ossf/scorecard-action#authentication-with-fine-grained-pat-optional

UPDATE: I've enabled a ruleset on main to potentially replace the branch protection on main. I've set the ruleset enforcement to "Evaluate" which I think means it shouldn't prevent anything from happening, but we might(?) see it referenced in PRs, not sure...

[trask]

Also looking at CLOMonitor https://clomonitor.io/projects/cncf/open-telemetry#opentelemetry-java-instrumentation

[trask]

#13179 solved the gradle wrapper issue

[trask]

#13199 finally made OSSF SAST happy (need 30 PR commits that have been checked prior to merging in order to make it fully happy)

[trask]

#13210 didn't fix the Branch-Protection check

[trask]

The Branch-Protection check fails if there are any branch protections that have any matching branches.

Unfortunately there doesn't seem to be a way to achieve this using rule sets:

opentelemetry-java-instrumentation/.github/repository-settings.md

Lines 88 to 93 in b8eca76

	## Branch protections
	### `main`, `release/*`, `v0.*`, `v1.*`, `cloudfoundry`
	- Restrict who can push to matching branches: CHECKED
	- Restrict pushes that create matching branches: CHECKED

[trask]

Closing, can always follow-up on individual items later