Synchronize community health files across OpenSSF Scorecard repos

[justaugustus]

https://github.com/ossf/scorecard-monitor/pull/85 and https://github.com/ossf/scorecard-monitor/pull/86 are two examples that highlight a need for us to make a decision on how we handle our community health files e.g., security policy, code of conduct, especially now that we have new subprojects in the mix (ref: #4073)

Premises:

• Subproject community health files should be subservient to/strictly reference the applicable OpenSSF Scorecard. This minimizes drift and keeps a consistent experience across the project. e.g., https://github.com/kubernetes/kubernetes-template-project

Problems:

• OpenSSF Scorecard core community health files may not be up-to-date, so copy/paste activities will lead to incorrect data in multiple places
• Default (inherited) community health files can undermine project deviations from OpenSSF standards ref: https://docs.github.com/en/communities/setting-up-your-project-for-healthy-contributions/creating-a-default-community-health-file, https://github.com/ossf/.github

cc: @ossf/scorecard-maintainers @UlisesGascon @KoolTheba @lelia

[UlisesGascon]

I think this is a good idea. We can all benefit from having common community health files (CoC, Security, etc.). Any project that requires a custom version can still create their own files in the repository. The system should be flexible enough for this. Additionally, it will significantly speed up the generation of new projects.

[github-actions[bot]]

This issue has been marked stale because it has been open for 60 days with no activity.