OpenSSF Best Practices (badge) passing grade

https://www.bestpractices.dev/en/projects/5365

remaining for pass:

• documentation
  • end-user documentation for EmuHawk
  • document the APIs: #46
• unique version numbering
  • (suggested) SemVer
• release notes
  • include in release artifacts: #1, #3 (closed)
• automated test suite
  • (suggested) ~100% coverage: #149
• new functionality testing
  • unit test policy
  • unit test policy is being followed
  • (suggested) unit test policy is documented

the silver and gold tiers don't have a lot of important stuff, they're mainly about reducing the "bus factor"

see also https://securityscorecards.dev doesn't offer much compared to the badge

• OpenChain seems better. See #61.

GitLab CI environment/container security something https://docs.gitlab.com/ci/runners/configure_runners/#artifact-provenance-metadata