diff --git a/.github/workflows/ossf-scorecard.yaml b/.github/workflows/ossf-scorecard.yaml
deleted file mode 100644
index 2caefeb..0000000
--- a/.github/workflows/ossf-scorecard.yaml
+++ /dev/null
@@ -1,60 +0,0 @@
-# Summary: workflow for OSSF Scorecard (https://github.com/ossf/scorecard).
-#
-# Scorecard is an automated tool that assesses a number of important heuristics
-# associated with software security and assigns each check a score of 0-10. The
-# use of Scorecard is suggested in Google's internal GitHub guidance
-# (go/github-docs).
-#
-# Scorecard creates a report page at the following URL (for a repo ORG/REPO):
-# https://scorecard.dev/viewer/?uri=github.com/ORG/REPO
-# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
-
-name: Scorecard code scan
-run-name: Run Scorecard code scan
-
-on:
-  schedule:
-    - cron: '19 20 * * 6'
-
-  # Allow manual invocation.
-  workflow_dispatch:
-
-# Declare default permissions as read only.
-permissions: read-all
-
-# Cancel any previously-started but still active runs on the same branch.
-concurrency:
-  cancel-in-progress: true
-  group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
-
-jobs:
-  scorecard:
-    name: Perform Scorecard analysis
-    runs-on: ubuntu-22.04
-    timeout-minutes: 10
-    permissions:
-      # Needed to upload the results to the code-scanning dashboard.
-      security-events: write
-      # Needed to publish results and get a badge (see publish_results below).
-      id-token: write
-    steps:
-      - name: Check out a copy of the git repository
-        uses: actions/checkout@11bd71901bbe5b1630ceea73d27597364c9af683 # v4.2.2
-        with:
-          persist-credentials: false
-
-      - name: Run Scorecard analysis
-        uses: ossf/scorecard-action@f49aabe0b5af0936a0987cfb85d86b75731b0186 # v2.4.1
-        with:
-          # Save the results
-          results_file: results.sarif
-          results_format: sarif
-
-          # Publish results to OpenSSF REST API.
-          # See https://github.com/ossf/scorecard-action#publishing-results.
-          publish_results: true
-
-      - name: Upload results to code-scanning dashboard
-        uses: github/codeql-action/upload-sarif@b56ba49b26e50535fa1e7f7db0f4f7b4bf65d80d # v3
-        with:
-          sarif_file: results.sarif
diff --git a/.github/workflows/scorecard-scanner.yaml b/.github/workflows/scorecard-scanner.yaml
new file mode 100644
index 0000000..58c7974
--- /dev/null
+++ b/.github/workflows/scorecard-scanner.yaml
@@ -0,0 +1,82 @@
+# Copyright 2026 Google LLC
+#
+# Licensed under the Apache License, Version 2.0 (the "License");
+# you may not use this file except in compliance with the License.
+# You may obtain a copy of the License at
+#
+#     https://www.apache.org/licenses/LICENSE-2.0
+#
+# Unless required by applicable law or agreed to in writing, software
+# distributed under the License is distributed on an "AS IS" BASIS,
+# WITHOUT WARRANTIES OR CONDITIONS OF ANY KIND, either express or implied.
+# See the License for the specific language governing permissions and
+# limitations under the License.
+
+name: Scorecard analysis
+run-name: Run Scorecard scanner for security best practices
+
+# Scorecard (https://github.com/ossf/scorecard) is a repository-scanning tool
+# that evaluates a project's security practices. Its use is suggested by
+# Google's GitHub team. Scorecard's findings are reported in a repo's scanning
+# results page, https://github.com/quantumlib/REPO/security/code-scanning/.
+
+on:
+  schedule:
+    - cron: '19 20 * * 6'
+  workflow_dispatch:
+
+permissions: read-all
+
+concurrency:
+  cancel-in-progress: true
+  group: ${{github.workflow}}-${{github.event.pull_request.number||github.ref}}
+
+jobs:
+  run-scorecard:
+    # Skip fork PRs to avoid "Analysis configuration not found" errors.
+    if: >-
+      github.repository_owner == 'quantumlib' &&
+      (github.event_name != 'pull_request' ||
+       github.event.pull_request.head.repo.fork == false)
+    name: Scorecard analyzer
+    runs-on: ubuntu-24.04
+    permissions:
+      security-events: write
+      id-token: write
+    timeout-minutes: 15
+    steps:
+      - name: Check out a copy of the git repository
+        uses: actions/checkout@de0fac2e4500dabe0009e67214ff5f5447ce83dd # v6.0.2
+        with:
+          persist-credentials: false
+
+      - name: Run Scorecard analysis
+        # yamllint disable rule:line-length
+        uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3
+        with:
+          results_file: scorecard-results.sarif
+          results_format: sarif
+          publish_results: true
+
+      - name: Upload results to code-scanning dashboard
+        # yamllint disable rule:line-length
+        uses: github/codeql-action/upload-sarif@95e58e9a2cdfd71adc6e0353d5c52f41a045d225 # v4.35.2
+        with:
+          sarif_file: scorecard-results.sarif
+
+  # Scorecard doesn't allow submissions from jobs having steps that use "run:".
+  # Printing a summary needs to use "run:", so we have to use a separate job.
+  write-summary:
+    name: Scorecard results
+    needs: run-scorecard
+    runs-on: ubuntu-slim
+    timeout-minutes: 5
+    steps:
+      - name: Write the Scorecard report page link to the workflow summary
+        run: |
+          repo="${{github.repository}}"
+          url="https://scorecard.dev/viewer/?uri=github.com/${repo}"
+          {
+          echo -n "The results are available on the OpenSSF Scorecard "
+          echo "[report page for ${{github.repository}}]($url)."
+          } >> "$GITHUB_STEP_SUMMARY"