fix(ci): split scorecard job to satisfy OpenSSF publish-results job-shape rule#467
Merged
Merged
Conversation
…hape rule The scorecard job has been failing on every push to main since at least 2026-07-01 with "scorecard job must only have steps with `uses`" — the OpenSSF scorecard-action's publish_results endpoint rejects any job that mixes non-`uses` steps in with the scorecard-action step. Move the min-score shell check into a separate downstream job that consumes the results via artifact upload/download instead of running in-job. Co-Authored-By: Claude Sonnet 5 <noreply@anthropic.com>
ad109f9 to
ff6e58b
Compare
|
This file contains hidden or bidirectional Unicode text that may be interpreted or compiled differently than what appears below. To review, open the file in an editor that reveals hidden Unicode characters.
Learn more about bidirectional Unicode characters
Sign up for free
to join this conversation on GitHub.
Already have an account?
Sign in to comment
Add this suggestion to a batch that can be applied as a single commit.This suggestion is invalid because no changes were made to the code.Suggestions cannot be applied while the pull request is closed.Suggestions cannot be applied while viewing a subset of changes.Only one suggestion per line can be applied in a batch.Add this suggestion to a batch that can be applied as a single commit.Applying suggestions on deleted lines is not supported.You must change the existing code in this line in order to create a valid suggestion.Outdated suggestions cannot be applied.This suggestion has been applied or marked resolved.Suggestions cannot be applied from pending reviews.Suggestions cannot be applied on multi-line comments.Suggestions cannot be applied while the pull request is queued to merge.Suggestion cannot be applied right now. Please check back later.




Summary
scorecard-enforcer.ymlhas failed on every single push tomainsince at least 2026-07-01 (verified: last 3+ runs allfailure), not from any content problem but from a structural workflow bug.scorecardjob's actual analysis succeeds (score 7.2/10) but the publish-results step then fails:workflow verification failed: scorecard job must only have steps with \uses`— OpenSSF's scorecard-action rejects any job for publish that mixes shellrun:` steps in with the scorecard-action step (anti-tampering restriction, see ossf/scorecard-action#workflow-restrictions).Check minimum scoreshell block.Fix
Split the single
scorecardjob into two:scorecard: checkout → scorecard-action → upload-artifact (alluses:steps only, satisfies OpenSSF's restriction)check-score: downloads the artifact, runs the existing min-score shell check unchangedcheck-criticaljob is untouched.Test plan
scorecardjob green (publish succeeds) andcheck-scorejob runs the same min-score logic as beforecheck-criticaljob (SECURITY.md / pinned-deps check)Note
This fixes one of two checks currently red on every push to
main. The other,instant-sync.yml, fails withBad credentialsbecauseFARM_DISPATCH_TOKENis dead — that's a secret-rotation action only the owner can take (already tracked in memory as a pending GitHub-identity-rebuild item: mintHYPATIA_SCAN_PAT/DISPATCH_PAT, dropFARM_DISPATCH_TOKEN). Flagging here rather than attempting a code fix for it.🤖 Generated with Claude Code