fix: use tag for codeql-action in scorecard (webapp rejects SHA pins)

2026-04-12 13:50:31 +00:00 · 2026-03-19 10:42:14 +00:00
parent 4ec963d41c
commit 07aed45518
1 changed files with 1 additions and 1 deletions
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
          repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
      - name: Upload Scorecard results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
        with:
          sarif_file: results.sarif
          category: scorecard