Describe the bug
A clear and concise description of what the bug is.
Reproduction steps
- Create a workflow which uses a reusable workflow (e.g.
slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml)
- Use a tag instead of a commit sha (
@v1.2.0)
- Run Scorecard for
Pinned-Dependencies ($ scorecard-linux-amd64 --repo https://github.com/sethmlarson/python-slsa-release-test --checks Pinned-Dependencies
- Observe a 10/10
Expected behavior
To not receive a 10/10, instead would be penalized for not pinning the workflow to SHA.
Additional context
Related and unfortunately in direct contention with: slsa-framework/slsa-github-generator#722
Describe the bug
A clear and concise description of what the bug is.
Reproduction steps
slsa-framework/slsa-github-generator/.github/workflows/generator_generic_slsa3.yml)@v1.2.0)Pinned-Dependencies($ scorecard-linux-amd64 --repo https://github.com/sethmlarson/python-slsa-release-test --checks Pinned-DependenciesExpected behavior
To not receive a 10/10, instead would be penalized for not pinning the workflow to SHA.
Additional context
Related and unfortunately in direct contention with: slsa-framework/slsa-github-generator#722