Generate workflow config file before releases

[justaugustus]

From @laurentsimon in #301 (comment):

you can remove this file if you want. It out of date and we're not maintaining it. It was supposed to be a local copy of the workflow we give to GitHub's starter-workflow, but we just get it from https://github.com/actions/starter-workflows/blob/main/code-scanning/scorecards.yml directly instead.

We make a mention of this file in the release documentation.
It would be cool to investigate generating the file somehow and then having a test to ensure it stays correct.

(We had multiple copies in the repo and neither of them were the one used in production.)

Then we regenerate it before a release and use it to update the starter-workflows one upstream.

[laurentsimon]

I'm not sure it's feasible to generate it before the release. It's a chicken-and-egg problem. The hash needs to be the hash of the commit of the release, but it will change if you commit the hash before release.

I think you need to generate it after the release, and possibly create a PR that we merge in. Note also that the README's workflow example has a hash which we may want to update as well. The README is always read at HEAD by https://github.com/marketplace/actions/ossf-scorecard-action, so it works if we update it after the release.