ci(osv-scanner): fix subshell issue #63

	---
	name: Scorecards supply-chain security
	on:
	push:
	branches:
	- main
	- "releases/**"
	schedule:
	- cron: "0 0 * * 0"
	workflow_dispatch:

	permissions: {}

	jobs:
	scorecards:
	name: Scorecards analysis
	runs-on: ubuntu-latest
	permissions:
	# Required to read the code
	actions: read
	# Required to read the code
	contents: read
	# Required to sign the SARIF file
	id-token: write
	# Required to upload the SARIF file to the security tab
	security-events: write
	steps:
	- name: "Checkout code"
	uses: actions/checkout@df4cb1c069e1874edd31b4311f1884172cec0e10 # v6.0.3
	with:
	fetch-depth: 1
	persist-credentials: false
	- name: "Run analysis"
	uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
	with:
	results_file: scorecards-results.sarif
	results_format: sarif
	publish_results: true
	- name: "Upload to code-scanning"
	uses: github/codeql-action/upload-sarif@8aad20d150bbac5944a9f9d289da16a4b0d87c1e # v4.36.2
	with:
	sarif_file: scorecards-results.sarif

Provide feedback