fix(ci): use commit SHA for ossf/scorecard-action, not tag-object SHA (#156)

docdyhr · claude · web-flow · commit 164c1233c1d4 · 2026-05-27T09:20:32.000+02:00
The Scorecard publish API verifies that the workflow SHA belongs to a
commit in ossf/scorecard-action. The tag v2.4.3 is annotated, so its
tag-object SHA (99c09fe) is different from the commit SHA it points to
(4eaacf05). Using the tag-object SHA caused: "imposter commit does not
belong to ossf/scorecard-action".

Co-authored-by: Claude Sonnet 4.6 &lt;noreply@anthropic.com&gt;
diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif
