ci: add OpenSSF Scorecard supply-chain analysis workflow

[camgrimsec]

Add an OpenSSF Scorecard (https://github.com/ossf/scorecard) workflow that runs weekly and on every push to 'main'. Scorecard produces a SARIF report covering ~17 supply-chain checks (branch protection, SAST coverage, pinned dependencies, signed releases, dangerous workflow patterns, etc.) and uploads it to GitHub's code-scanning surface so results show up in the existing 'Security' tab.

Why this is the right shape of contribution for haystack:

• The repo already follows almost all Scorecard best practices today: SHA-pinned third-party actions, dependabot for actions/pip/npm/docker, branch protection on main, signed releases, SECURITY.md present. Scorecard simply makes that posture visible and tracks regressions.
• All actions are SHA-pinned (per existing repo convention - confirmed by reviewing other workflows in .github/workflows/).
• Top-level 'permissions: read-all' with per-job least-privilege ('security-events: write' only on the analysis job) matches the pattern used by 'claude-code-review.yml' and 'labeler.yml'.
• Pure additive: one new workflow file, no other workflow touched, no code touched, no CONTRIBUTING / SECURITY / README changes.
• Runs on a shared 'ubuntu-latest' runner (consistent with the rest of the repo), weekly schedule (cron 32 6 * * 1) to avoid noisy Monday-morning runs.

If maintainers prefer, the README OpenSSF badge can be added in a follow-up PR once the first run completes.

Related Issues

• fixes #issue-number

Proposed Changes:

How did you test it?

Notes for the reviewer

Checklist

• I have read the contributors guidelines and the code of conduct.
• I have updated the related issue with new insights and changes.
• I have added unit tests and updated the docstrings.
• I've used one of the conventional commit types for my PR title: fix:, feat:, build:, chore:, ci:, docs:, style:, refactor:, perf:, test: and added ! in case the PR includes breaking changes.
• I have documented my code.
• I have added a release note file, following the contributors guidelines.
• I have run pre-commit hooks and fixed any issue.

[vercel]

@camgrimsec is attempting to deploy a commit to the deepset Team on Vercel.

A member of the Team first needs to authorize it.

[CLAassistant]

All committers have signed the CLA.

[julian-risch]

Thank you for opening this PR @camgrimsec ! In fact, we added an OpenSSF badge just a few weeks ago to our README: https://github.com/deepset-ai/haystack/blob/main/README.md?plain=1#L8
Haystack is regularly scanned and a report is published online here: https://scorecard.dev/viewer/?uri=github.com%2Fdeepset-ai%2Fhaystack
Nevertheless, it's an interesting idea to run the checks ourselves on a weekly basis to track regressions. Before we review your PR, we need you to agree to the CLA please #11723 (comment)

[camgrimsec]

Thank you for opening this PR @camgrimsec ! In fact, we added an OpenSSF badge just a few weeks ago to our README: https://github.com/deepset-ai/haystack/blob/main/README.md?plain=1#L8 Haystack is regularly scanned and a report is published online here: https://scorecard.dev/viewer/?uri=github.com%2Fdeepset-ai%2Fhaystack Nevertheless, it's an interesting idea to run the checks ourselves on a weekly basis to track regressions. Before we review your PR, we need you to agree to the CLA please #11723 (comment)

Was able to agree to the CLA. Let me know if you need anything else