ci: apply OSSF Scorecard security best practices

[UlisesGascon]

Related expressjs/security-wg#2

[codecov]

Codecov Report

All modified and coverable lines are covered by tests ✅

Project coverage is 97.82%. Comparing base (26d87a2) to head (1d2c021).
Report is 25 commits behind head on master.

Additional details and impacted files

@@             Coverage Diff             @@
##            master     #364      +/-   ##
===========================================
- Coverage   100.00%   97.82%   -2.18%     
===========================================
  Files            1        1              
  Lines          668      367     -301     
  Branches       151      128      -23     
===========================================
- Hits           668      359     -309     
- Misses           0        8       +8     

☔ View full report in Codecov by Sentry.
📢 Have feedback on the report? Share it here.

🚀 New features to boost your workflow:

• ❄️ Test Analytics: Detect flaky tests, report on failures, and find test suite problems.
• 📦 JS Bundle Analysis: Save yourself from yourself by tracking and limiting bundle sizes in JS merges.

[github-advanced-security]

This pull request sets up GitHub code scanning for this repository. Once the scans have completed and the checks have passed, the analysis results for this pull request branch will appear on this overview. Once you merge this pull request, the 'Security' tab will show more code scanning analysis results (for example, for the default branch). Depending on your configuration and choice of analysis tool, future pull requests will be annotated with code scanning analysis results. For more information about GitHub code scanning, check out the documentation.