feat: integrate GS Scorecard workflow (#444)

### Description

This PR adds the GS scorecard job into reusable release. Do not merge
until 1.0.0 GS scorecard image is pushed to ecr

### Checklist

- [x] `README.md` has been updated or is not required
- [ ] push trigger tests
- [ ] manual release test
- [x] automated releases test
- [ ] pull request trigger tests
- [ ] schedule trigger tests
- [ ] workflow errors/warnings reviewed and addressed

### Testing done 

https://github.com/splunk/splunk-add-on-for-microsoft-cloud-services/actions/runs/18752030521/job/53494778020

Author: mbruzda-splunk

.github/workflows/reusable-build-test-release.yml

@@ -97,6 +97,12 @@ on:
       SPL_COM_PASSWORD:
         description: password to splunk.com
         required: true
+      GSSA_AWS_ACCESS_KEY_ID:
+        description: GSSA AWS access key id
+        required: true
+      GSSA_AWS_SECRET_ACCESS_KEY:
+        description: GSSA AWS secret access key
+        required: true
 permissions:
   contents: read
   packages: read
@@ -107,6 +113,8 @@ env:
   PYTHON_VERSION: "3.9"
   POETRY_VERSION: "2.1.4"
   POETRY_EXPORT_PLUGIN_VERSION: "1.9.0"
+  GS_IMAGE_VERSION: "1.0.0"
+  GS_VERSION: "0.3"
 jobs:
   validate-custom-version:
     runs-on: ubuntu-latest
@@ -811,6 +819,50 @@ jobs:
           name: appinspect-api-html-report-${{ matrix.tags }}
           path: AppInspect_response.html
 
+  run-gs-scorecard:
+    name: quality-gs-scorecard
+    needs: build
+    if: ${{ !cancelled() && needs.build.result == 'success' && (github.ref_name == 'main' && github.event_name == 'push') }}
+    runs-on: ubuntu-latest
+    steps:
+      - uses: actions/checkout@v4
+      - name: Configure AWS credentials
+        uses: aws-actions/configure-aws-credentials@v4
+        with:
+          aws-access-key-id: ${{ secrets.GSSA_AWS_ACCESS_KEY_ID }}
+          aws-secret-access-key: ${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }}
+          aws-region: us-west-2
+      - name: Login to Amazon ECR
+        uses: aws-actions/amazon-ecr-login@v2
+      - name: Pull GS Scorecard image
+        run:
+          docker pull 956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:${{ env.GS_IMAGE_VERSION }}
+      - name: Run GS Scorecard
+        env:
+          GITHUB_TOKEN: ${{ secrets.GH_TOKEN_ADMIN }}
+          GITHUB_USERNAME: ${{ secrets.SA_GH_USER_NAME }}
+          APPINSPECT_USER: ${{ secrets.SPL_COM_USER }}
+          APPINSPECT_PASS: ${{ secrets.SPL_COM_PASSWORD }}
+        run: |
+          docker run --rm \
+            -e GITHUB_TOKEN \
+            -e GITHUB_USERNAME \
+            -e AWS_ACCESS_KEY_ID="${{ secrets.GSSA_AWS_ACCESS_KEY_ID }}" \
+            -e AWS_SECRET_ACCESS_KEY="${{ secrets.GSSA_AWS_SECRET_ACCESS_KEY }}" \
+            -e AWS_DEFAULT_REGION="us-west-2" \
+            -e APPINSPECT_USER \
+            -e APPINSPECT_PASS \
+            -e GS_VERSION="${{ env.GS_VERSION }}" \
+            -v "$(pwd)":/addon \
+            956110764581.dkr.ecr.us-west-2.amazonaws.com/ta-automation/gs-scorecard:"${{ env.GS_IMAGE_VERSION }}"
+
+      - name: Upload GS Scorecard report
+        uses: actions/upload-artifact@v4
+        if: always()
+        with:
+          name: gs-scorecard-report
+          path: ./gs_scorecard.html
+
   setup:
     needs:
       - setup-workflow

README.md

@@ -20,6 +20,7 @@
   * [[Job] build](#job-build)
   * [[Job] AppInspect](#job-appinspect)
   * [[Job] AppInspect API](#job-appinspect-api)
+  * [[Job] run-gs-scorecard](#job-run-gs-scorecard)
   * [[Job] setup](#job-setup)
   * [[Job] test-unit-python3](#job-test-unit-python3)
   * [[Job] run-btool-check](#job-run-btool-check)
@@ -523,6 +524,46 @@ appinspect-api-html-report-self-service
 ```
 
 
+## [Job] run-gs-scorecard
+
+**Description**
+
+- This job runs the Gold Standard Scorecard quality assessment tool to evaluate the add-on against security and quality standards.
+
+- The GS Scorecard tool is containerized and runs in a Docker container, analyzing the repository and generating a comprehensive quality report.
+
+- This job only runs on push events to the `main` branch after a successful build.
+
+**Action used:** 
+- AWS ECR (Elastic Container Registry) for Docker image storage
+- Custom Docker image: `ta-automation/gs-scorecard` pushed from GitLab GS Scorecard repository
+
+**Pass/fail behaviour:**
+
+- The job executes the GS Scorecard analysis and generates a quality report.
+
+- The job requires proper AWS credentials for accessing the ECR registry and GitHub credentials for repository analysis.
+
+**Troubleshooting steps for failures if any:**
+
+- Verify that the required secrets are properly configured in GitHub Actions:
+  - `GSSA_AWS_ACCESS_KEY_ID` and `GSSA_AWS_SECRET_ACCESS_KEY` for AWS ECR access
+  - `GH_TOKEN_ADMIN` and `SA_GH_USER_NAME` for GitHub access
+  - `SPL_COM_USER` and `SPL_COM_PASSWORD` for AppInspect integration
+
+- Check that the Docker image version specified in `GS_SCORECARD_VERSION` environment variable exists in the ECR registry.
+
+- Review the job logs for specific error messages from the GS Scorecard tool.
+
+- Ensure the build job completed successfully before this job runs, as it depends on the build artifacts.
+
+**Artifacts:**
+
+```
+gs-scorecard-report (gs_scorecard.html)
+```
+
+
 ## [Job] setup
 
 **Description:**