Big +1 to the Go reference link, but IMO the other two are kind of tacky (🙈)

I'm not opposed strongly enough to try and block, though 🙇

but IMO the other two are kind of tacky (🙈)

Yeah, I must admit that;

• The GoReportCard one has become less relevant over the years; I still use it periodically, because for some reason it picks gofmt issues that are not picked up by our GolangCI-lint config (we should probably try and fix that)
• Somewhat mixed feelings on the OpenSSF ScoreCard;
  • ✅ it helped pick up some genuine missing configurations in our GitHub actions (some running too permissive), and
  • ✅ I agree on the score it gave to our SECURITY.md (touch-up security policy #48280)
  • 🤷‍♂️ Score on "is the repo actively maintained" is sometimes not relevant for stable repositories (no code churn needed on those)
  • 🤷‍♂️ Score on "has Fuzzing" is pretty poor; it only does a rudimentary check, so it's really just a "vanity score"
  • ❌ Score on having a badge for OpenSSF best practices (which requires granting permissions to some individual)
  • ⚠️ Not a fan of "pinning dependencies" score (but perhaps it could be with some additional rules); some dependencies (actions) are "trusted", and on purpose not pinned (to prevent release branches running outdated ones)

Things we should add, but are currently missing;

• CI status: I left it out for now, because a couple of tests on master are failing on Windows 19.03. They could be either legit, or just limitations of the older Windows version; we should look into those and either fix, or skip them.
• CodeCov: also somewhat debatable, because I know we have many more integration tests (and coverage that may not always be measured); still, there's definitely packages that could use some love to increase coverage; we should work on that (and CodeCov could assist in finding those).

Let me bring this one one, but we can update the list in future