chore: improve OpenSSF Scorecard (Signed-Releases, Vulnerabilities, Branch-Protection) (#146)

chore(scorecard): improve OpenSSF Scorecard score

- Fix Signed-Releases (0 -> 10 expected): download GitHub attestation
  bundle after attest-build-provenance and upload as
  patchloom.vsix.intoto.jsonl release asset. Scorecard requires
  release assets (not just API attestations). See ci-build-release skill.
- Bump undici (via vsce/cheerio) via npm audit fix to clear 7 high
  vulns (Vulnerabilities 3 -> 10).
- Updated main-branch-protection ruleset (via API) to set
  require_last_push_approval: true (helps Branch-Protection from 5).
- package-lock.json updated for dep fix.

These target the main actionable low scores (Signed-Releases,
Vulnerabilities, Branch-Protection). Maintained is time-based;
Packaging may be VS Code specific; CII Gold blocked by bus factor.

Signed-off-by: Sebastien Tardif <sebtardif@ncf.ca>

Author: SebTardif

.github/workflows/release.yml

@@ -67,6 +67,28 @@ jobs:
         uses: actions/attest-build-provenance@a2bbfa25375fe432b6a289bc6b6cd05ecd0c4c32 # v4.1.0
         with:
           subject-path: patchloom.vsix
+      - name: Upload attestation bundle as .intoto.jsonl (for Scorecard Signed-Releases)
+        # Scorecard's Signed-Releases check requires .intoto.jsonl *release assets* (not just API attestations).
+        # See ~/.grok/skills/ci-build-release/SKILL.md
+        env:
+          GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}
+        run: |
+          mkdir -p attestation-bundles
+          tmpdir=$(mktemp -d)
+          pushd "$tmpdir" > /dev/null
+          if gh attestation download "$OLDPWD/patchloom.vsix" \
+              --repo "${{ github.repository }}" 2>/dev/null; then
+            for bundle in *.jsonl; do
+              [ -f "$bundle" ] || continue
+              cp "$bundle" "$OLDPWD/attestation-bundles/patchloom.vsix.intoto.jsonl"
+              break
+            done
+          fi
+          popd > /dev/null
+          rm -rf "$tmpdir"
+          if ls attestation-bundles/*.intoto.jsonl >/dev/null 2>&1; then
+            gh release upload "${{ needs.release-please.outputs.tag_name }}" attestation-bundles/*.intoto.jsonl --clobber
+          fi
       - name: Upload .vsix to GitHub Release
         env:
           GH_TOKEN: ${{ secrets.GITHUB_TOKEN }}