feat: full repo pimpery pass

- README: upgraded badge strip (PyPI + Python + Downloads + CI + CodeQL
  + OpenSSF Scorecard + scanned-by-pipelock + License), added nav
  links, tightened hero copy.
- New OpenSSF Scorecard workflow (weekly + on push to main, publishes
  results to code scanning dashboard).
- New CodeQL workflow for Python (security-and-quality query set, runs
  on every PR + weekly).

With this pass the public repo has four CI-driven security signals
visible on the README: CI tests, CodeQL, OpenSSF Scorecard, and
pipelock self-scan.

Author: luckyPipewrench

.github/workflows/codeql.yml

@@ -0,0 +1,41 @@
+name: CodeQL
+
+on:
+  push:
+    branches: [main]
+  pull_request:
+    branches: [main]
+  schedule:
+    - cron: '0 6 * * 1'
+
+permissions:
+  contents: read
+
+jobs:
+  analyze:
+    runs-on: ubuntu-latest
+    timeout-minutes: 15
+    permissions:
+      security-events: write
+      packages: read
+
+    strategy:
+      fail-fast: false
+      matrix:
+        language: [python]
+
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Initialize CodeQL
+        uses: github/codeql-action/init@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        with:
+          languages: ${{ matrix.language }}
+          queries: security-and-quality
+
+      - name: Perform CodeQL Analysis
+        uses: github/codeql-action/analyze@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        with:
+          category: "/language:${{ matrix.language }}"

.github/workflows/scorecard.yml

@@ -0,0 +1,41 @@
+name: OpenSSF Scorecard
+
+on:
+  branch_protection_rule:
+  workflow_dispatch:
+  schedule:
+    - cron: '0 5 * * 1'
+  push:
+    branches: [main]
+
+permissions: read-all
+
+jobs:
+  analysis:
+    runs-on: ubuntu-latest
+    permissions:
+      security-events: write
+      id-token: write
+    steps:
+      - uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload Scorecard results
+        uses: actions/upload-artifact@043fb46d1a93c77aae656e7c1c64a875d1fc6a0a # v7.0.1
+        with:
+          name: scorecard-results
+          path: results.sarif
+          retention-days: 5
+
+      - name: Upload to code-scanning
+        uses: github/codeql-action/upload-sarif@c10b8064de6f491fea524254123dbe5e09572f13 # v4
+        with:
+          sarif_file: results.sarif

README.md

@@ -1,26 +1,27 @@
 # pipelock-verify
 
-[![PyPI version](https://img.shields.io/pypi/v/pipelock-verify.svg)](https://pypi.org/project/pipelock-verify/)
-[![Python versions](https://img.shields.io/pypi/pyversions/pipelock-verify.svg)](https://pypi.org/project/pipelock-verify/)
+[![PyPI](https://img.shields.io/pypi/v/pipelock-verify.svg?label=PyPI&logo=pypi&logoColor=white)](https://pypi.org/project/pipelock-verify/)
+[![Python](https://img.shields.io/pypi/pyversions/pipelock-verify.svg?label=Python&logo=python&logoColor=white)](https://pypi.org/project/pipelock-verify/)
+[![Downloads](https://img.shields.io/pypi/dm/pipelock-verify.svg?label=Downloads)](https://pypi.org/project/pipelock-verify/)
 [![CI](https://github.com/luckyPipewrench/pipelock-verify-python/actions/workflows/ci.yml/badge.svg)](https://github.com/luckyPipewrench/pipelock-verify-python/actions/workflows/ci.yml)
+[![CodeQL](https://github.com/luckyPipewrench/pipelock-verify-python/actions/workflows/codeql.yml/badge.svg)](https://github.com/luckyPipewrench/pipelock-verify-python/actions/workflows/codeql.yml)
+[![OpenSSF Scorecard](https://api.scorecard.dev/projects/github.com/luckyPipewrench/pipelock-verify-python/badge)](https://scorecard.dev/viewer/?uri=github.com/luckyPipewrench/pipelock-verify-python)
+[![scanned by pipelock](https://img.shields.io/badge/scanned%20by-pipelock-00FFC8?labelColor=1A1A2E)](https://github.com/luckyPipewrench/pipelock)
 [![License: Apache-2.0](https://img.shields.io/badge/License-Apache_2.0-blue.svg)](LICENSE)
 
-Python verifier for [Pipelock](https://github.com/luckyPipewrench/pipelock)
-action receipts. Verifies the Ed25519 signature, chain linkage, and
-flight-recorder wrapping of receipts emitted by the Pipelock mediator.
+**Python verifier for [Pipelock](https://github.com/luckyPipewrench/pipelock) action receipts.** Verifies the Ed25519 signature, chain linkage, and flight-recorder wrapping of receipts emitted by the Pipelock mediator.
 
-The library mirrors the Go reference implementation byte-for-byte. The
-conformance golden files in `tests/conformance/` are generated by Pipelock's
-Go code and verified identically by both sides.
+Mirrors the Go reference implementation byte-for-byte. The conformance golden files in `tests/conformance/` are generated by Pipelock's Go code and verified identically by both sides.
+
+[Install](#install) · [Usage](#usage) · [What gets verified](#what-gets-verified) · [Canonicalization](#canonicalization-rules) · [Spec](https://pipelab.org/learn/action-receipt-spec/) · [Go reference](https://github.com/luckyPipewrench/pipelock)
 
 ## Install
 
 ```bash
 pip install pipelock-verify
 ```
 
-Only one runtime dependency: [`cryptography`](https://cryptography.io) for
-the Ed25519 primitives.
+Only one runtime dependency: [`cryptography`](https://cryptography.io) for the Ed25519 primitives.
 
 ## Usage