fix(scorecard): bump python-scorecard.yml to post-OIDC-fix SHA#29
fix(scorecard): bump python-scorecard.yml to post-OIDC-fix SHA#29williaby wants to merge 1 commit into
Conversation
Pins python-scorecard.yml to f05c26a424a708a73fc445a0ebb5b3ce476c1793, which hard-codes publish_results: false in the reusable workflow to prevent the OIDC token repository claim from resolving to the .github host repo and publishing scorecard results to the wrong repository. Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
|
Warning Rate limit exceeded
You’ve run out of usage credits. Purchase more in the billing tab. ⌛ How to resolve this issue?After the wait time has elapsed, a review can be triggered using the We recommend that you space out your commits to avoid hitting the rate limit. 🚦 How do rate limits work?CodeRabbit enforces hourly rate limits for each developer per organization. Our paid plans have higher rate limits than the trial, open-source and free plans. In all cases, we re-allow further reviews after a brief timeout. Please see our FAQ for further information. ℹ️ Review info⚙️ Run configurationConfiguration used: defaults Review profile: CHILL Plan: Pro Run ID: 📒 Files selected for processing (1)
✨ Finishing Touches🧪 Generate unit tests (beta)
Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out. Comment |
|
There was a problem hiding this comment.
Pull request overview
Updates the repository’s OpenSSF Scorecard workflow to consume a newer pinned commit of the org-level reusable python-scorecard.yml, intended to incorporate the upstream post-OIDC fix described in the PR.
Changes:
- Bump the reusable workflow pin in
.github/workflows/scorecard.ymlfromd18c930...tof05c26a....
💡 Add Copilot custom instructions for smarter, more guided reviews. Learn how to get started.
| uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@f05c26a424a708a73fc445a0ebb5b3ce476c1793 # main | ||
| with: | ||
| publish-results: true |
Dependency Review✅ No vulnerabilities or license issues or OpenSSF Scorecard issues found.OpenSSF Scorecard
Scanned Files
|



Summary
python-scorecard.ymlpin tof05c26a424a708a73fc445a0ebb5b3ce476c1793(the current clean HEAD ofByronWilliamsCPA/.github)publish_results: falsein the reusable workflow, preventing the OIDC tokenrepositoryclaim from targeting the.githubhost repo instead of the calling repoRoot cause
When
python-scorecard.ymlruns as a reusable callee, the OIDC token'srepositoryclaim resolves toByronWilliamsCPA/.github(where the workflow lives), not the calling repository. The old workflow passedpublish_results: ${{ inputs.publish-results }}through toossf/scorecard-action, which used that claim to publish to the wrong repo and error. Fixed inByronWilliamsCPA/.githubPR #80.Generated with Claude Code