Run scorecards only on pushes to main. (#2546)

* Run scorecards only on pushes to main.

This is to prevent the workflow from failing when running in branches
with no previous data to compare.

It also adds the scorecard badge to the README file.

* Add timeout and run_if to ci_yaml_roller.

.ci.yaml

@@ -76,3 +76,6 @@ targets:
 
   - name: Linux ci_yaml packages roller
     recipe: infra/ci_yaml
+    timeout: 30
+    runIf:
+      - .ci.yaml

.github/workflows/scorecards-analysis.yml

@@ -1,9 +1,8 @@
 name: Scorecards supply-chain security
 on:
-  # Only the default branch is supported.
-  branch_protection_rule:
   push:
-    branches: [ main ]
+    branches:
+    - main
 
 # Declare default permissions as read only.
 permissions: read-all

README.md

@@ -2,7 +2,7 @@
 
 [![Build Status](https://api.cirrus-ci.com/github/flutter/packages.svg)](https://cirrus-ci.com/github/flutter/packages/main)
 [![Release Status](https://github.com/flutter/packages/actions/workflows/release.yml/badge.svg)](https://github.com/flutter/packages/actions/workflows/release.yml)
-
+[![OpenSSF Scorecard](https://api.securityscorecards.dev/projects/github.com/flutter/packages/badge)]
 This repo is a companion repo to the main [flutter repo](
 https://github.com/flutter/flutter). It contains the source code for Flutter's
 first-party packages (i.e., packages developed by the core Flutter team).