From 28ff71950811939fa5599175e203d0699fad9b12 Mon Sep 17 00:00:00 2001
From: devitway <devitway@gmail.com>
Date: Thu, 19 Mar 2026 10:33:27 +0000
Subject: [PATCH] fix: revert scorecard-action to tag (Docker action
 incompatible with SHA pin)

---
 .github/workflows/scorecard.yml | 4 +++-
 1 file changed, 3 insertions(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2771dc1..a9478c7 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -21,8 +21,10 @@ jobs:
         with:
           persist-credentials: false
 
+      # Note: scorecard-action is a Docker-based action that resolves by tag only,
+      # SHA pinning causes resolution failures. Using tag per ossf recommendation.
       - name: Run OpenSSF Scorecard
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        uses: ossf/scorecard-action@v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif