Get a Verified Create Badge for the REUSE Action

[janderssonse]

I suggest, in order to raise further trust and calm the security people :) :) that this project would try to get the action GitHub verified. Currently, what it really, really implies for the project is a bit of mystery, but hopefully N.G.O's should be as ok as non ngo's s, it most likely involves a bit of security policy practice, example from someone that succeded - https://github.com/orgs/community/discussions/25265#discussioncomment-3247173.

Why is this potentially good? Well, some GitHub organisations have strict security policies - and choosen to tick the "Allow Allow actions created by GitHub Allow actions by Marketplace verified creators, and this would make the REUSE action viable for them.

So, it would further raise the trust bar for organizations looking to use the REUSE action in CI pipes.

Note: I'm aware of that the REUSE project is looking to move to other hosting alternatives long term (https://github.com/fsfe/reuse-tool/issues/865). But, Until that happens - and even after, this would still be relevant, as a GitHub Action still might be published).

[mxmehl]

Phew, that looks like a painful and intransparent process. While I think the GitHub action will persist even if reuse-tool moves away from GitHub, I am not even sure how to start tackling this without wasting too much time knocking at doors.

[janderssonse]

Are you sure that so much needs to be done so it is painful - how would one know if not asking? :) I guess all that needs to be done to find out is sending a short mail and ask - "What steps needs to be done to get a verified creators badge for the GitHub Action of REUSE" and the project will most likely find out. From the given example it looks like "2fa enabled" for the organisation and a "verified organisation domain (for FSFE)" is two of the checks to fulfill. The domain one you already fulfill, as shown on your verified org, and I guess you have enabled 2fa also already.