From 0c95fa97861652a2ad5e50ea41387cf93128a85d Mon Sep 17 00:00:00 2001
From: DevITWay | Pavel Volkov <devitway@gmail.com>
Date: Mon, 6 Apr 2026 02:38:06 +0300
Subject: [PATCH] fix: revert codeql-action to tag in scorecard.yml (#105)

Scorecard webapp verifies upload-sarif action by tag, not SHA.
Pinning to SHA causes imposter commit error on webapp submission.
---
 .github/workflows/scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 7dcd00b..6b77b29 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
           repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Upload Scorecard results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
         with:
           sarif_file: results.sarif
           category: scorecard