It’s expected most projects will use Github actions where the capabilities are sufficient, and that the following will be set up:
As needed by the project
OSSF scorecard assesses a project for best practice.
Each project should integrate a scan using the OSSF scorecard github action.
CodeQL is available for open-source projects, and should be considered if appropriate for the language used.