Aggregate Scorecards metrics on a new package release

[mayaCostantini]

This issue is part of the following EPIC: #434

2. Compute metrics for packages present in Thoth's database that will serve as a basis for a global software stack quality score

Taking the example of OSSF Scorecards, we already aggregate this information in prescriptions which are used directly by the adviser. However, the aggregation logic present in prescriptions-refresh-job only updates prescriptions for packages already present in the repository. We could either aggregate Scorecards data for more packages using the OSSF BigQuery dataset or have our own tool that computes Scorecards metrics on a new package release, which could be integrated directly into package-update-job for instance. This would most likely consist in a simple script querying the GitHub API and computing the metrics on the project's last release commit.

Aggregate Scorecards metrics on a new package release using one of the two methods above

For the corresponding ADR proposal on how to aggregate the Scorecard data, see #439

Next steps:

• Validate the ADR proposal
• Create the corresponding workflow in https://github.com/thoth-station/package-releases-job

[sesheta]

@mayaCostantini: This issue is currently awaiting triage.
If a refinement session determines this is a relevant issue, it will accept the issue by applying the
triage/accepted label and provide further guidance.

The triage/accepted label can be added by org members by writing /triage accepted in a comment.

Details

Instructions for interacting with me using PR comments are available here. If you have questions or suggestions related to my behavior, please file an issue against the kubernetes/test-infra repository.

[mayaCostantini]

/sig stack-guidance
/priority critical-urgent

[goern]

/kind feature