Add initial release documentation

Signed-off-by: Stephen Augustus <foo@auggie.dev>

RELEASE.md

@@ -0,0 +1,22 @@
+# Releasing the scorecard GitHub Action
+
+This is a draft document to describe the release process for the scorecard
+GitHub Action.
+
+(If there are improvements you'd like to see, please comment on the
+[tracking issue](https://github.com/ossf/scorecard-action/issues/33) or issue a
+pull request to discuss.)
+
+- [steps:](#steps)
+
+## steps:
+
+1. cut a scorecard release and wait for a container image to be created and tagged with new release. Note the hash of the container as `CH1`. Note: we do not need a scorecard release, we can use any stable version we want.
+2. update the hash pin in our [dockerfile](https://github.com/ossf/scorecard-action/blob/main/.github/Dockerfile#L26) to use the container hash `CH1` from step 1. Once the PR is merged, note the GitHub's commit hash as `GH2`.
+~~3. [manually trigger](https://docs.github.com/en/actions/managing-workflow-runs/manually-running-a-workflow) the workflow to generate our container image. Note the hash of the container image generated as `CH3`. It can be found [here](https://github.com/ossf/scorecard-action/pkgs/container/scorecard-action) using the manifest's "digest"`.~~
+~~4. update the container image hash we use in [action.yaml:L45](https://github.com/ossf/scorecard-action/blob/main/action.yaml#L45), using the hash `CH3` from step 3. Once the PR is merged, note the GitHub's commit hash as `GH4`.~~
+5. test the new hash in a test repo we own. If successful, continue.
+6. cut release for the action - the hash of the tagged release should be `GH2`.
+7. send a PR to [starter-workflows/code-scanning/scorecards.yml](https://github.com/actions/starter-workflows/tree/main/code-scanning/scorecards.yml) to update the hash to `GH2` from step 4.
+8. merge a PR to update our documentation's example workflow to use `GH2`. 
+9. verify on the market place that the workflow example contains `GH2`. (the marketplace uses main branch)