From 26e1e12e64db6ae8d94756028175823c7d2c98ac Mon Sep 17 00:00:00 2001
From: devitway <devitway@gmail.com>
Date: Thu, 19 Mar 2026 10:42:14 +0000
Subject: [PATCH] fix: use tag for codeql-action in scorecard (webapp rejects
 SHA pins)

---
 .github/workflows/scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 81bc156..a6d97d3 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -32,7 +32,7 @@ jobs:
           repo_token: ${{ secrets.SCORECARD_TOKEN || secrets.GITHUB_TOKEN }}
 
       - name: Upload Scorecard results to GitHub Security tab
-        uses: github/codeql-action/upload-sarif@a60c4df7a135c7317c1e9ddf9b5a9b07a910dda9 # v4
+        uses: github/codeql-action/upload-sarif@v4 # tag required by scorecard webapp verification
         with:
           sarif_file: results.sarif
           category: scorecard