Skip to content

ci(#600): pin ossf/scorecard-action to v2.4.3#601

Merged
atlas-apex merged 1 commit into
devfrom
ci/GH-600-pin-scorecard-action
Jun 9, 2026
Merged

ci(#600): pin ossf/scorecard-action to v2.4.3#601
atlas-apex merged 1 commit into
devfrom
ci/GH-600-pin-scorecard-action

Conversation

@atlas-apex

@atlas-apex atlas-apex commented Jun 9, 2026

Copy link
Copy Markdown
Collaborator

Summary

  • Pins ossf/scorecard-action@v2@v2.4.3 in .github/workflows/scorecard.yml. The floating v2 major tag is no longer published by the action, so the Scorecard job failed at setup on every push to main with unable to find version v2 (observed on the v3.1.0 release merge, run 27188194993).
  • Restores the supply-chain posture scan — without a resolvable action ref, no Scorecard SARIF is produced and the README badge goes stale. v2.4.3 (published 2025-09-30) is the latest release.
  • One-line, lowest-risk fix — same class as [CI] Bump upload-artifact v4->v7 + codeql-action v3->v4 (manual, supersedes 539/541) #590 (artifact/codeql action version bumps). No other action refs change.

Testing

  1. CI on this PR resolves the action and the Scorecard job sets up without the version error.
  2. After merge, the next push-to-main (or a manual workflow_dispatch) Scorecard run completes and uploads SARIF.

Closes #600

Glossary

Term Definition
OpenSSF Scorecard Supply-chain security posture scanner that scores a repo against best-practice checks and uploads SARIF.
Floating major tag A moving tag (v2) pointing at the latest v2.x; references break when the publisher stops maintaining it.

@me2resh @claude
ci(#600): pin ossf/scorecard-action to v2.4.3
4d2d836 
The floating @v2 major tag no longer resolves ("unable to find version v2"),
failing the Scorecard workflow on every push to main (seen on the v3.1.0
release merge, run 27188194993). Pin to the latest published release v2.4.3.

Closes #600

Co-Authored-By: Claude Opus 4.8 (1M context) <noreply@anthropic.com>
github-advanced-security[bot]
github-advanced-security AI found potential problems Jun 9, 2026
View reviewed changes
Comment thread .github/workflows/scorecard.yml

- name: Run analysis
uses: ossf/scorecard-action@v2
uses: ossf/scorecard-action@v2.4.3
atlas-apex
atlas-apex commented Jun 9, 2026
View reviewed changes

@atlas-apex atlas-apex left a comment

Copy link
Copy Markdown
Collaborator Author

Choose a reason for hiding this comment

The reason will be displayed to describe this comment to others. Learn more.

Code Review: PR #601

Commit: 4d2d8366fdd2f3208227a7299bd1e809fd91df36

Summary

One-line CI fix pinning ossf/scorecard-action@v2@v2.4.3 in .github/workflows/scorecard.yml. The floating v2 major tag no longer resolves, breaking the Scorecard job at setup on push-to-main.

Checklist Results

  • Architecture & Design: N/A (CI config)
  • Code Quality: Pass
  • Testing: Pass (CI verifies action resolution + SARIF upload)
  • Security: Pass — pins a floating tag to an immutable release; improves supply-chain posture
  • Performance: N/A
  • PR Description & Glossary: Pass (Summary + Testing + Glossary + Closes #600)
  • Summary Bullet Narrative: Pass (bullets state what changed + why it matters)
  • Technical Decisions (AgDR):N/A (version pin matching existing #590 pattern, no new tool choice)
  • Adopter Handbooks: N/A (no handbook globs match a workflow-only diff)

Verification

  • Diff is exactly the single-line pin (+1/-1), only file is scorecard.yml.
  • ossf/scorecard-action@v2.4.3 is a real published release (2025-09-30), confirmed via the GitHub releases API.
  • The only scorecard-action ref in the workflow is the one being pinned — no other action refs touched.
  • Closes #600 (OPEN, title matches the PR intent).
  • Commit SHA matches PR HEAD.

Issues Found

None.

Suggestions

nit (non-blocking, future hardening): for strongest supply-chain posture, OpenSSF's own guidance is to pin actions to a full commit SHA (ossf/scorecard-action@<sha> # v2.4.3) rather than a semver tag, since tags are mutable. The semver pin here already fixes the immediate breakage and matches the existing repo convention (#590), so this is purely optional follow-up.

Verdict

APPROVED

🤖 Reviewed by Rex (Code Reviewer Agent)
📌 Reviewed commit: 4d2d8366fdd2f3208227a7299bd1e809fd91df36

@atlas-apex atlas-apex merged commit 771e2ea into dev Jun 9, 2026
5 checks passed
@atlas-apex atlas-apex deleted the ci/GH-600-pin-scorecard-action branch June 9, 2026 06:50
This was referenced Jun 9, 2026
Closed
Merged
Closed
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

1 more reviewer

@github-advanced-security github-advanced-security[bot] github-advanced-security[bot] left review comments

Reviewers whose approvals may not affect merge requirements

Assignees

No one assigned

Labels

github-issue has-ticket

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

3 participants

@atlas-apex @github-advanced-security @me2resh