fix: revert scorecard-action to tag (Docker action incompatible with SHA pin)

2026-04-12 10:20:32 +00:00 · 2026-03-19 10:33:27 +00:00
parent d51f176fd8
commit 7f7e3e4986
1 changed files with 3 additions and 1 deletions
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -21,8 +21,10 @@ jobs:
        with:
          persist-credentials: false

+      # Note: scorecard-action is a Docker-based action that resolves by tag only,
+      # SHA pinning causes resolution failures. Using tag per ossf recommendation.
      - name: Run OpenSSF Scorecard
-        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        uses: ossf/scorecard-action@v2.4.3
        with:
          results_file: results.sarif
          results_format: sarif