The Scorecard workflow's Run analysis step fails when publishing to the OpenSSF webapp:
400 Bad Request: imposter commit: f52b05f4acaaa234e44466e66d29050e135ea9ef
does not belong to github/codeql-action/upload-sarif
github/codeql-action's v4.36.0 is an annotated tag; f52b05f is the tag-object SHA, not a commit, so it can't be used as a uses: ref and Scorecard rejects it as an imposter. The real commit for v4.36.0 is 7211b7c8077ea37d8641b6271f6a365a22a5fbfa.
Fix: pin github/codeql-action/upload-sarif to the dereferenced commit SHA. (The other three actions are already pinned to valid commits.) Scorecard analysis otherwise runs fine — it scored 5.3.
The Scorecard workflow's
Run analysisstep fails when publishing to the OpenSSF webapp:github/codeql-action'sv4.36.0is an annotated tag;f52b05fis the tag-object SHA, not a commit, so it can't be used as auses:ref and Scorecard rejects it as an imposter. The real commit for v4.36.0 is7211b7c8077ea37d8641b6271f6a365a22a5fbfa.Fix: pin
github/codeql-action/upload-sarifto the dereferenced commit SHA. (The other three actions are already pinned to valid commits.) Scorecard analysis otherwise runs fine — it scored 5.3.