From 4d14c664ad93d790b64278059f87b839e86018c7 Mon Sep 17 00:00:00 2001
From: Thomas Juul Dyhr <thomas@dyhr.com>
Date: Wed, 27 May 2026 09:17:17 +0200
Subject: [PATCH] fix(ci): use commit SHA for ossf/scorecard-action, not
 tag-object SHA

The Scorecard publish API verifies that the workflow SHA belongs to a
commit in ossf/scorecard-action. The tag v2.4.3 is annotated, so its
tag-object SHA (99c09fe) is different from the commit SHA it points to
(4eaacf05). Using the tag-object SHA caused: "imposter commit does not
belong to ossf/scorecard-action".

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
---
 .github/workflows/scorecard.yml | 2 +-
 1 file changed, 1 insertion(+), 1 deletion(-)

diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml
index 6525eb8..653c933 100644
--- a/.github/workflows/scorecard.yml
+++ b/.github/workflows/scorecard.yml
@@ -25,7 +25,7 @@ jobs:
           persist-credentials: false
 
       - name: Run analysis
-        uses: ossf/scorecard-action@99c09fe975337306107572b4fdf4db224cf8e2f2 # v2.4.3
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
         with:
           results_file: results.sarif
           results_format: sarif