Add OpenSSF Best Practices badge to README

[chicks-net]

Summary

Register the project with the OpenSSF Best Practices Program and add the resulting badge to the README.

Why

The OpenSSF (Open Source Security Foundation) Best Practices badge signals to users and contributors that the project follows security and quality best practices. It also gets the repo listed in the OpenSSF registry, which increases discoverability and adds credibility — especially useful for a tool that handles GitHub tokens and CI/CD pipeline visibility.

Tasks

• Register fini-net/gh-observer at https://www.bestpractices.dev/en/projects/new
• Work through the criteria checklist (passing level is reasonable starting target)
• Once registered, add the badge to README.md alongside the existing shields.io badges
  • Badge format: [![OpenSSF Best Practices](https://www.bestpractices.dev/projects/<ID>/badge)](https://www.bestpractices.dev/projects/<ID>)
• Identify any gaps in current practices and address them (e.g., security policy, contribution guide, signed releases)

Notes

• The project already has several passing criteria: OSI-approved license (MIT), public repo, version control, automated tests, CI workflow
• Build attestations via GitHub Actions already cover supply chain security requirements
• A SECURITY.md policy file may be needed to complete the security disclosure criteria

[chicks-net]

Passing level criteria — status summary

Most of these are already met by this project:

Category	Status	Notes
Basics (description, interact, contribute)	Mostly done	Need to ensure CONTRIBUTING.md explains the process
FLOSS License	Done	GPLv2, LICENSE in repo
Documentation	Mostly done	Need to confirm interface docs exist
Change Control (repo, versioning, release notes)	Done	Git, SemVer tags, auto-generated release notes
Reporting (bug process, vulnerability process)	Done	GitHub Issues + SECURITY.md with vulnerability reporting
Quality (build, tests, warnings)	Done	CodeQL, test suite, CI, linters
Security (crypto, delivery, vulns fixed)	Mostly N/A	No crypto; HTTPS delivery; no known vulns
Analysis (static/dynamic)	Done	CodeQL + Checkov for static; dynamic is SUGGESTED not REQUIRED

Likely gaps to address

• contribution — Need a CONTRIBUTING.md that explicitly describes the contribution process (PR workflow, coding standards)
• warnings — Must confirm use of compiler warnings/linter (Go vet, actionlint, etc. — already in place)
• report_responses — Must acknowledge most bug reports in last 2-12 months
• vulnerability_report_response — Initial response to vuln reports must be ≤14 days

Just getting Passing is enough to move the OpenSSF Scorecard from 0 to full points on CII-Best-Practices.

[chicks-net]

Achieved baseline level 1 compliance.

[chicks-net]

#227 added the badge to the README. Still working on meeting the criteria. The remaining parts are mostly documentation.

[chicks-net]

Level 2 compliance is done in #228