From ae791fc4dc4dfd965438a05523e41cf847582b9e Mon Sep 17 00:00:00 2001 From: Amit Kumar Date: Wed, 22 Apr 2026 23:38:50 +0000 Subject: [PATCH] fix(ci): peel codeql-action v3 tag to commit SHA Same imposter-commit issue as scorecard-action: v3 is an annotated tag, so /git/refs/tags/v3 returned the tag object SHA (865f5f5). Replaced with ce64ddc (the actual commit) so scorecard.dev publish succeeds. Co-Authored-By: Claude Opus 4.7 (1M context) --- .github/workflows/scorecard.yml | 2 +- 1 file changed, 1 insertion(+), 1 deletion(-) diff --git a/.github/workflows/scorecard.yml b/.github/workflows/scorecard.yml index ff21f4f..97b5df9 100644 --- a/.github/workflows/scorecard.yml +++ b/.github/workflows/scorecard.yml @@ -40,6 +40,6 @@ jobs: retention-days: 5 - name: upload sarif to code scanning - uses: github/codeql-action/upload-sarif@865f5f5c36632f18690a3d569fa0a764f2da0c3e # v3 + uses: github/codeql-action/upload-sarif@ce64ddcb0d8d890d2df4a9d1c04ff297367dea2a # v3 with: sarif_file: results.sarif