fix(ci): use commit SHA for ossf/scorecard-action (not tag-object SHA)

[docdyhr]

Root cause

ossf/scorecard-action@v2.4.3 is an annotated tag, so it has two distinct SHAs:

	SHA
Tag object (wrong)	99c09fe975337306107572b4fdf4db224cf8e2f2
Commit (correct)	4eaacf0543bb3f2c246792bd56e8cdeffafb205a

The Scorecard publish_results: true path sends the workflow SHA to the OpenSSF webapp for signature verification. The webapp checks that the SHA belongs to an actual commit in ossf/scorecard-action. Using the tag-object SHA caused:

error sending scorecard results to webapp: http response 400
workflow verification failed: imposter commit: 99c09fe... does not belong to ossf/scorecard-action

Fix

Replace the tag-object SHA with the dereferenced commit SHA in scorecard.yml.

🤖 Generated with Claude Code

Summary by Sourcery

CI:

• Update the Scorecard workflow to use the ossf/scorecard-action commit SHA instead of the annotated tag-object SHA to satisfy OpenSSF verification.

[sourcery-ai]

Reviewer's guide (collapsed on small PRs)

Reviewer's Guide

Updates the GitHub Scorecard workflow to reference the commit SHA corresponding to the v2.4.3 annotated tag of ossf/scorecard-action so that the Scorecard webapp receives a valid commit SHA for verification.

Sequence diagram for Scorecard workflow verification with correct commit SHA

sequenceDiagram
    actor Developer
    participant GitHubActions as GitHub_Actions
    participant ScorecardAction as ossf_scorecard_action
    participant OpenSSFWebapp

    Developer->>GitHubActions: push to main
    GitHubActions->>ScorecardAction: run ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a
    ScorecardAction->>OpenSSFWebapp: publish_results with workflow SHA

    alt using tag object SHA (previous config)
        OpenSSFWebapp-->>ScorecardAction: 400 workflow verification failed (imposter commit)
    else using commit SHA (this PR)
        OpenSSFWebapp-->>ScorecardAction: 200 verification succeeded
    end

Loading

File-Level Changes

Change	Details	Files
Use the dereferenced commit SHA for ossf/scorecard-action instead of the annotated tag object SHA in the Scorecard GitHub Actions workflow.	Change the ossf/scorecard-action reference from the annotated tag-object SHA to the underlying commit SHA while keeping the version comment as v2.4.3. Ensure Scorecard’s publish_results flow now sends a real commit SHA that the OpenSSF webapp can verify.	.github/workflows/scorecard.yml

---

Tips and commands

Interacting with Sourcery

• Trigger a new review: Comment @sourcery-ai review on the pull request.
• Continue discussions: Reply directly to Sourcery's review comments.
• Generate a GitHub issue from a review comment: Ask Sourcery to create an
  issue from a review comment by replying to it. You can also reply to a
  review comment with @sourcery-ai issue to create an issue from it.
• Generate a pull request title: Write @sourcery-ai anywhere in the pull
  request title to generate a title at any time. You can also comment
  @sourcery-ai title on the pull request to (re-)generate the title at any time.
• Generate a pull request summary: Write @sourcery-ai summary anywhere in
  the pull request body to generate a PR summary at any time exactly where you
  want it. You can also comment @sourcery-ai summary on the pull request to
  (re-)generate the summary at any time.
• Generate reviewer's guide: Comment @sourcery-ai guide on the pull
  request to (re-)generate the reviewer's guide at any time.
• Resolve all Sourcery comments: Comment @sourcery-ai resolve on the
  pull request to resolve all Sourcery comments. Useful if you've already
  addressed all the comments and don't want to see them anymore.
• Dismiss all Sourcery reviews: Comment @sourcery-ai dismiss on the pull
  request to dismiss all existing Sourcery reviews. Especially useful if you
  want to start fresh with a new review - don't forget to comment
  @sourcery-ai review to trigger a new review!

Customizing Your Experience

Access your dashboard to:

• Enable or disable review features such as the Sourcery-generated pull request
  summary, the reviewer's guide, and others.
• Change the review language.
• Add, remove or edit custom review instructions.
• Adjust other review settings.

Getting Help

• Contact our support team for questions or feedback.
• Visit our documentation for detailed guides and information.
• Keep in touch with the Sourcery team by following us on X/Twitter, LinkedIn or GitHub.

[sourcery-ai]

Hey - I've reviewed your changes and they look great!

---

Sourcery is free for open source - if you like our reviews please consider sharing them ✨

• X
• Mastodon
• LinkedIn
• Facebook

_{Help me be more useful! Please click 👍 or 👎 on each comment and I'll use the feedback to improve your reviews.}

[Copilot]

Pull request overview

Fixes the OpenSSF Scorecard workflow by replacing the annotated tag-object SHA for ossf/scorecard-action@v2.4.3 with the actual commit SHA, resolving the "imposter commit" verification error from the OpenSSF webapp.

Changes:

• Update ossf/scorecard-action pin to the dereferenced commit SHA (4eaacf0…) while keeping the # v2.4.3 annotation.

---

💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.

[codecov]

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!