Hey @ceki,

Great to hear that logback is reproducible, that's a massive step for the ecosystem!

As for running Scorecards on a fork, that's unfortunately not very useful: most of the Scorecard checks are regarding repository settings, which aren't shared with forks (i.e. branch protection, code review, fuzzing via oss-fuzz, etc).

However, as long as the workflow runs with the proper minimal permissions, Scorecard isn't a very significant attack vector. And the best part is that if the Action is given excessive permissions, it'll warn you!

If you want to see the workflow in action in a real project, see here (the Python NumPy project).