Add profile for Stacklok health check

profiles/github/stacklok-health-check.yaml

@@ -0,0 +1,66 @@
+---
+# Stacklok health check profile.
+version: v1
+type: profile
+name: stacklok-health-check
+context:
+  provider: github
+alert: "off"
+remediate: "off"
+repository:
+  - type: actions_check_pinned_tags
+    def:
+      exclude:
+        # generator_generic_slsa3 does not support pinning and will fail to retrieve the
+        # generator binary. We need to exclude it from pinning because of this.
+        # See https://github.com/slsa-framework/slsa-github-generator/issues/2993
+        - slsa-framework/slsa-github-generator/.github/workflows/[email protected]
+  - type: branch_protection_allow_force_pushes
+    def: 
+      allow_force_pushes: false
+    params:
+      branch: ""
+  - type: branch_protection_require_pull_request_dismiss_stale_reviews
+    def:
+      dismiss_stale_reviews: true
+    params:
+      branch: ""
+  - type: default_workflow_permissions
+    def:
+      default_workflow_permissions: read
+      can_approve_pull_request_reviews: false
+  - type: dependabot_configured
+    name: go_dependabot
+    def:
+      package_ecosystem: gomod
+      schedule_interval: ""
+      apply_if_file: go.mod
+  - type: dependabot_configured
+    name: npm_dependabot
+    def:
+      package_ecosystem: npm
+      schedule_interval: ""
+      apply_if_file: package.json
+  - type: dependabot_configured
+    name: pypi_dependabot
+    def:
+      package_ecosystem: pypi
+      schedule_interval: ""
+      apply_if_file: requirements.txt
+  - type: dockerfile_no_latest_tag
+    def: {}
+  - type: secret_push_protection
+    def:
+      enabled: true
+      skip_private_repos: true
+  - type: "secret_scanning"
+    def:
+      enabled: true
+      skip_private_repos: true
+pull_request:
+  - type: invisible_characters_check
+    def: {}
+    params: {}
+  - type: mixed_scripts_check
+    def: {}
+    params: {}