0.2.1
Immutable
release. Only release title and notes can be modified.
Added
public-scorecard-json.ymlfor Scorecard JSON artifact mode without
security-events: write, matching estate policy where Scorecard is a
project-health signal rather than a code-scanning alert source.- Checkout controls (
checkout_ref,fetch_depth,submodules) and setup hooks
forprivate-static.ymlandcross-platform-smoke.yml, so private/root
callers can preserve PR refs and submodule validation. - Adapter-migration extension inputs for shared workflows:
actionlint.yml
post_command,secret-scan.ymlreport/config/post-command options, and
public-codeql.ymloptional CodeQL config/autobuild/artifact output.
Changed
- Public examples now default to
public-scorecard-json.yml; SARIF Scorecard
remains available throughpublic-scorecard.ymlfor repositories that
intentionally want code-scanning upload.