Skip to content

Fix Scorecard: use commit SHA instead of tag object SHA#4

Merged
VV1NN merged 1 commit into
mainfrom
fix-scorecard-hash
Apr 16, 2026
Merged

Fix Scorecard: use commit SHA instead of tag object SHA#4
VV1NN merged 1 commit into
mainfrom
fix-scorecard-hash

Conversation

@VV1NN
Copy link
Copy Markdown
Owner

@VV1NN VV1NN commented Apr 16, 2026

Problem

Scorecard fails with: imposter commit: ea651e6... does not belong to ossf/scorecard-action

Cause

ea651e6... is the annotated tag object, not the actual commit. Scorecard's workflow verification only accepts real commit SHAs.

Fix

Dereferenced v2.4.1 tag → tag object ea651e6... → actual commit f49aabe...

@VV1NN @claude
Fix Scorecard action hash: use commit SHA, not tag object SHA
cbce0a6 
The previous hash ea651e6... pointed to the annotated tag object,
not the actual commit. Scorecard's workflow verification rejects
tag object SHAs as "imposter commits". Dereferenced to the real
commit f49aabe... that the v2.4.1 tag points to.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@VV1NN VV1NN merged commit 6f43319 into main Apr 16, 2026
4 checks passed
VV1NN added a commit that referenced this pull request Apr 16, 2026
@VV1NN @claude
Fix codeql-action hash: use commit SHA, not tag object SHA
519a484 
Same issue as scorecard-action in PR #4. The v3 tag for
github/codeql-action is an annotated tag — 865f5f5... is
the tag object, ce64ddc... is the actual commit.

Co-Authored-By: Claude Opus 4.6 (1M context) <noreply@anthropic.com>
@VV1NN VV1NN mentioned this pull request Apr 16, 2026
Merged
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

1 participant

@VV1NN