[Bug]: OpenSSF Scorecard workflow fails due to run step violating workflow restrictions #300
Description
Component
Scripts
Bug Description
The OpenSSF Scorecard badge is not working. The badge URL returns a 404 and the Scorecard viewer shows no results. Investigation revealed that all recent scorecard workflow runs on main are failing with the error:
scorecard job must only have steps with `uses`, see https://github.com/ossf/scorecard-action#workflow-restrictions
The Add job summary step in .github/workflows/scorecard.yml uses a run: block, which violates ossf/scorecard-action workflow restrictions.
Expected Behavior
The OpenSSF Scorecard workflow should complete successfully and publish results to the Scorecard API. The badge at https://api.scorecard.dev/projects/github.com/microsoft/hve-core/badge should return a valid image.
Steps to Reproduce
- Navigate to the repository's Actions tab
- Filter by "OpenSSF Scorecard" workflow
- Observe all recent runs on main branch have failed
- Check the failed run logs for the error message
Additional Context
- Badge URL: https://api.scorecard.dev/projects/github.com/microsoft/hve-core/badge
- Viewer URL: https://scorecard.dev/viewer/?uri=github.com/microsoft/hve-core
- ossf/scorecard-action restrictions: https://github.com/ossf/scorecard-action#workflow-restrictions
- Only these actions are allowed:
actions/checkout,actions/create-github-app-token,actions/upload-artifact,github/codeql-action/upload-sarif,ossf/scorecard-action,step-security/harden-runner - Related: Implement OpenSSF Scorecard workflow and badge #269 (original implementation), [Issue]: Residual OpenSSF Scorecard Token-Permissions fixes from #182 #292 (token permissions)