Skip to content

fix(scorecard): pin python-scorecard.yml to explicit SHA (was @main)#36

Merged
williaby merged 2 commits into
mainfrom
fix/scorecard-sha-f05c26a4
Jun 10, 2026
Merged

fix(scorecard): pin python-scorecard.yml to explicit SHA (was @main)#36
williaby merged 2 commits into
mainfrom
fix/scorecard-sha-f05c26a4

Conversation

@williaby

Copy link
Copy Markdown
Contributor

Summary

  • Replaces the floating @main ref with f05c26a424a708a73fc445a0ebb5b3ce476c1793 (current HEAD of ByronWilliamsCPA/.github)
  • Eliminates the supply-chain risk of silent behavior changes when .github main advances
  • This SHA also hard-codes publish_results: false, fixing the OIDC token repository claim bug for reusable workflow callees

Generated with Claude Code

Replaces the floating @main ref with the explicit commit SHA
f05c26a424a708a73fc445a0ebb5b3ce476c1793 of ByronWilliamsCPA/.github.
This SHA hard-codes publish_results: false, fixing the OIDC token
repository claim bug. Pinning to a SHA also eliminates the supply-chain
risk of silent behavior changes on future commits to .github main.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Copilot AI review requested due to automatic review settings May 11, 2026 14:16
@williaby williaby enabled auto-merge (squash) May 11, 2026 14:16
@coderabbitai

coderabbitai Bot commented May 11, 2026

Copy link
Copy Markdown

Warning

Review limit reached

@williaby, we couldn't start this review because you've reached your PR review rate limit.

More reviews will be available in 25 minutes and 29 seconds. Learn how PR review limits work.

Your organization has run out of usage credits. Purchase more in the billing tab.

⌛ How to resolve this issue?

After more reviews become available, a review can be triggered using the @coderabbitai review command as a PR comment. Alternatively, push new commits to this PR.

We recommend that you space out your commits to avoid hitting the rate limit.

🚦 How do rate limits work?

CodeRabbit enforces hourly rate limits for each developer per organization.

Our paid plans include higher PR review limits than trial, open-source, and free plans. In all cases, reviews become available again over time. During sustained high-volume PR review activity, CodeRabbit may temporarily slow when the next review becomes available.

Please see our Fair Usage Limits Policy for further information.

ℹ️ Review info
⚙️ Run configuration

Configuration used: Path: .coderabbit.yaml

Review profile: ASSERTIVE

Plan: Pro

Run ID: 99a2ee2c-051f-4cbe-8b78-3b5b368ff94d

📥 Commits

Reviewing files that changed from the base of the PR and between 698bcba and a9c644d.

📒 Files selected for processing (1)
  • .github/workflows/scorecard.yml
✨ Finishing Touches
🧪 Generate unit tests (beta)
  • Create PR with unit tests
  • Commit unit tests in branch fix/scorecard-sha-f05c26a4

Thanks for using CodeRabbit! It's free for OSS, and your support helps us grow. If you like it, consider giving us a shout-out.

❤️ Share

Comment @coderabbitai help to get the list of available commands and usage tips.

Copilot AI left a comment

Copy link
Copy Markdown

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Pull request overview

Pins the repository’s OpenSSF Scorecard GitHub Actions workflow to an immutable reusable-workflow reference to avoid unintended behavior changes from tracking a moving branch.

Changes:

  • Updated the reusable workflow reference from @main to a full commit SHA for ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml.

Comment on lines +29 to 32
uses: ByronWilliamsCPA/.github/.github/workflows/python-scorecard.yml@f05c26a424a708a73fc445a0ebb5b3ce476c1793
with:
publish-results: true
upload-sarif: true
@codecov

codecov Bot commented May 11, 2026

Copy link
Copy Markdown

Codecov Report

✅ All modified and coverable lines are covered by tests.

📢 Thoughts on this report? Let us know!

@williaby williaby added the skip-changelog PR intentionally omits a CHANGELOG entry label Jun 10, 2026
@sonarqubecloud

Copy link
Copy Markdown

@williaby williaby merged commit 4365097 into main Jun 10, 2026
33 of 36 checks passed
@williaby williaby deleted the fix/scorecard-sha-f05c26a4 branch June 10, 2026 02:40
williaby added a commit that referenced this pull request Jun 10, 2026
Re-resolve against current main (#36/#41/#37 landed after the first sync):
- mutation-testing.yml, scorecard.yml: take main's versions (preserve the
  already-merged #41/#36 changes; #40's per-job permission tightening on
  those two files is dropped to avoid reverting merged work).
- CHANGELOG.md: keep both the Security (this PR) and Documentation (main) sections.

Co-Authored-By: Claude Sonnet 4.6 <noreply@anthropic.com>
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Labels

skip-changelog PR intentionally omits a CHANGELOG entry

Projects

None yet

Development

Successfully merging this pull request may close these issues.

2 participants