BUG: Security-Policy throws a warning if target repo's org has an empty .github repo

[pnacht]

Describe the bug
If the Security-Policy check is run for a repo owned by an org with an empty .github repo, it runs a warning. All the examples I've checked don't have a security policy, so I'm not sure if the check runs normally (the warning says "Skipping...", so I assume it keeps working correctly).

Reproduction steps
Steps to reproduce the behavior:

1. scorecard --repo bazelbuild/rules_sass --checks Security-Policy --format json

unable to get tarball tarball not found: https://api.github.com/repos/bazelbuild/.github/tarball/. Skipping...
[ ...valid JSON output... ]

Note that https://github.com/bazelbuild/.github is empty.

Expected behavior
An empty .github repository should behave identically to one with content but without a SECURITY.md file. So the warning shouldn't be thrown.

Additional context
Empty .github repositories seem to be common with Google-associated orgs, since I've found this for many other projects. The warning is thrown for projects in these orgs as well (at least for the specific repos I've tried):

• https://github.com/golang/.github
• https://github.com/lit/.github
• https://github.com/material-components/.github
• https://github.com/polymer/.github
• https://github.com/tensorflow/.github
• https://github.com/webcomponents/.github