From 4dababcd168d151075e0611da2a4ab8435d7dc18 Mon Sep 17 00:00:00 2001
From: amcheste-ai-agent <278991699+amcheste-ai-agent@users.noreply.github.com>
Date: Mon, 11 May 2026 18:15:58 -0400
Subject: [PATCH] ci: replace imposter codeql-action SHA with real v4 pin

Follow-up to PR #16. The publish_results fix in #16 will let
the workflow try to publish on the next Monday scheduled run.
But the pinned SHA on github/codeql-action/upload-sarif is an
imposter commit per OSSF Scorecard's anti-supply-chain check,
and the publish step would fail with:

  imposter commit: d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e
  does not belong to github/codeql-action/upload-sarif

Swap to the real v4 tag commit
68bde559dea0fdcac2102bfdf6230c5f70eb485e, verified via gh api.

The same imposter pin propagated from repo-template into every
repo born from it. Companion fixes:
- repo-template PR #11 (open)
- claude-teams-operator PR #228 (open)

Co-Authored-By: Claude Opus 4.7 (1M context) <noreply@anthropic.com>

Co-Authored-By: amcheste <13696614+amcheste@users.noreply.github.com>
---
 .github/workflows/scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 2915c74..0d84318 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -37,7 +37,7 @@ jobs:
           path: results.sarif
           retention-days: 5
 
-      - uses: github/codeql-action/upload-sarif@d4b3ca9fa7f69d38bfcd667bdc45bc373d16277e # v4
+      - uses: github/codeql-action/upload-sarif@68bde559dea0fdcac2102bfdf6230c5f70eb485e # v4
         if: github.ref_name == github.event.repository.default_branch
         continue-on-error: true
         with: