Driver
The Scorecard supply-chain workflow fails on every push to main (observed on the v3.1.0 release merge, run 27188194993):
Unable to resolve action `ossf/scorecard-action@v2`, unable to find version `v2`
ossf/scorecard-action no longer publishes the floating v2 major tag, so the workflow can't even set up the job. Every release-merge push now shows a red Scorecard run.
Scope
.github/workflows/scorecard.yml line 34: pin ossf/scorecard-action@v2 → ossf/scorecard-action@v2.4.3 (latest, published 2025-09-30).- No other refs change (
actions/checkout@v4, upload-artifact@v7, codeql-action/upload-sarif@v4 still resolve).
Acceptance Criteria
Risks / Dependencies
Low — single action-version pin. Same class as #590 (artifact/codeql action bumps).
Glossary
| Term |
Definition |
| OpenSSF Scorecard |
A supply-chain security posture scanner that scores a repo against best-practice checks and uploads SARIF results. |
| Floating major tag |
A moving tag like v2 that points at the latest v2.x; when the publisher stops maintaining it, references break. |
Driver
The Scorecard supply-chain workflow fails on every
pushtomain(observed on the v3.1.0 release merge, run 27188194993):ossf/scorecard-actionno longer publishes the floatingv2major tag, so the workflow can't even set up the job. Every release-merge push now shows a red Scorecard run.Scope
.github/workflows/scorecard.ymlline 34: pinossf/scorecard-action@v2→ossf/scorecard-action@v2.4.3(latest, published 2025-09-30).actions/checkout@v4,upload-artifact@v7,codeql-action/upload-sarif@v4still resolve).Acceptance Criteria
scorecard.ymlpinsossf/scorecard-action@v2.4.3(resolvable version, no floating major tag).mainpush (or a manualworkflow_dispatch) resolves the action and completes without the "unable to find version" error.Risks / Dependencies
Low — single action-version pin. Same class as #590 (artifact/codeql action bumps).
Glossary
v2that points at the latestv2.x; when the publisher stops maintaining it, references break.