Add the Scorecard Action to monitor procfs' security posture

[pnacht]

Hey, it's Pedro (see prometheus/common#490 and prometheus/prometheus#12841). I'm back with another security suggestion.

I found the issues fixed by those PRs by scanning procfs with Scorecard. It looks at a repository's settings and configurations to identify potential points of improvement in a project's security posture.

As it happens, the first issues I worked on involved workflows, which procfs pulls from /common and/or /prometheus, so I sent the PRs over there.

Scorecard is also available as a GitHub Action. It then monitors a project's security posture and populates the Security Panel with any tips it may find relevant for the project. In doing so, it can also flag whenever a code or setting change accidentally weakens the project's security.

procfs' current score is 6.8/10, which places it at the top 10% of projects important to the open-source ecosystem.

I'll write a PR implementing the Action and send it along with this issue.

[SuperQ]

If we're going to include this action, we should add it to https://github.com/prometheus/prometheus/blob/main/scripts/sync_repo_files.sh. This way it's automatically managed in all Prometheus project repos.

[pnacht]

Sorry for the delay here, but sure thing, I'd be happy to send this to prometheus/prometheus and add it to the sync script.

I do have one question though. After one of my previous PRs, I realized there's automation keeping things in sync with prometheus/prometheus but there's also prometheus/common, which I'd understood was the container for all "common" things in prometheus projects.

Has /common been deprecated, with /prometheus now being the source-of-truth for common files?