Fix Scorecard SARIF publication#29
Conversation
There was a problem hiding this comment.
💡 Codex Review
Here are some automated review suggestions for this pull request.
Reviewed commit: c92fad385b
ℹ️ About Codex in GitHub
Your team has set up Codex to review pull requests in this repo. Reviews are triggered when you
- Open a pull request for review
- Mark a draft as ready
- Comment "@codex review".
If Codex has suggestions, it will comment; otherwise it will react with 👍.
Codex can also answer questions or update the PR. Try commenting "@codex address that feedback".
| --output="scorecard-results.sarif" \ | ||
| --show-details | ||
| - name: Run Scorecard | ||
| uses: ossf/scorecard-action@4eaacf0543bb3f2c246792bd56e8cdeffafb205a # v2.4.3 |
There was a problem hiding this comment.
Guard Scorecard action to the default branch
With the existing workflow_dispatch trigger, this step can be manually run on any branch, but ossf/scorecard-action@v2.4.3 rejects non-default refs before writing scorecard-results.sarif (the run for this patch on feature/scorecard-action-sarif-20260621 failed with Only the default branch master is supported). The CLI path this replaces passed --commit="$GITHUB_SHA" and could analyze arbitrary refs, so manual branch runs now fail and never upload SARIF/artifacts; either restrict the job to refs/heads/master or keep a non-default-branch path that does not use this action.
Useful? React with 👍 / 👎.
Summary