I've made this suggestion as issue #9778 ( https://github.com/php/php-src/issues/9778) and PR # 9789 ( https://github.com/php/php-src/pull/9789), but have been invited by @damianwadley to bring it to the mailing list.
The Scorecards GitHub Action basically keeps an eye on a repo's security posture and makes simple, objective suggestions for possible improvements. For PHP's current Scorecard results, see here: https://api.securityscorecards.dev/projects/github.com/php/php-src. At the moment it's a raw json dump, but it contains information on the results of all the individual checks as well as comments on how to improve the scores. When the Action is installed, this is cleanly added to the project's GitHub Security Panel with step-by-step instructions. @iluuu1994 raised the issue that Scorecards suggests maximal branch protection and code review (prefer all contributions come via PRs with some form of code review prior to being added to the repo), which is quite distinct from the current PHP workflow which allows core maintainers to simply push directly. The reasons for this are entirely understandable. The Scorecard simply serves to indicate that other, more secure workflows exist. Whether their costs (in terms of agility and especially maintainer time) are worth it is a determination only the core team can make. I'm happy to answer any questions anyone might have, and am also happy to help PHP in other ways if I can! Thanks, Pedro P.S. First time contribution to the mailing-list, apologies for any missteps!
